A bunch of beginner questions

jnicol

New Member
Hi all,

I am new to VPS hosting, and after doing my initial WHM and server configuration I have a few questions for the community, to ensure I'm following best practices and not overlooking anything important.

Apologies for cramming so many questions into one post - I thought it would be better than flooding the forum with multiple threads.

WHM and OS updates

What is the best practice for upgrading the VPS operating system and WHM? I think that by default WHM and cPanel auto-update themselves - is this correct?

Security

What are some best practices for securing my VPS? Here's what I've done already:

- Created a new unix user with a strong password, added it to the wheel group and gave wheel users sudo. This is the user I'll be using to ssh to the VPS.
- Disabled password login for root user
- Changed root password to something strong
- Enabled cPHulk brute force protection in WHM
- Change PHP handler to suPHP
- Enabled SMTP restrictions
- Enabled PHP open_basedir

I'll be using my VPS for hosting my personal sites, and a small number of client sites (I'm a web designer/developer). Are there any other tweaks I should make to harden the server security?

Firewall

I notice that ConfigServer Security & Firewall plugin is installed. Is there anything special I need to configure here? Is the firewall a set-and-forget kind of thing, or do I need to keep an eye on it for e.g. system diagnostics and security?

mod_security

Should I enable mod_security? I have memories of running into problems with shared hosts where mod_security was running, which makes me wary.

That's enough for now I think! Thanks to anyone who can give me some tips on these points.
 
Hi all,

I am new to VPS hosting, and after doing my initial WHM and server configuration I have a few questions for the community, to ensure I'm following best practices and not overlooking anything important.

Apologies for cramming so many questions into one post - I thought it would be better than flooding the forum with multiple threads.

Welcome to KnownHost!

Bring it on ;)

WHM and OS updates

What is the best practice for upgrading the VPS operating system and WHM? I think that by default WHM and cPanel auto-update themselves - is this correct?

It's indeed automatic so nothing to worry about here.

Security

What are some best practices for securing my VPS? Here's what I've done already:

- Created a new unix user with a strong password, added it to the wheel group and gave wheel users sudo. This is the user I'll be using to ssh to the VPS.
- Disabled password login for root user
- Changed root password to something strong
- Enabled cPHulk brute force protection in WHM
- Change PHP handler to suPHP
- Enabled SMTP restrictions
- Enabled PHP open_basedir

I'll be using my VPS for hosting my personal sites, and a small number of client sites (I'm a web designer/developer). Are there any other tweaks I should make to harden the server security?

Sounds like you've got it covered. If you wanted to go even more secure you could swap SSH away from passwords at all and use keys.

Firewall

I notice that ConfigServer Security & Firewall plugin is installed. Is there anything special I need to configure here? Is the firewall a set-and-forget kind of thing, or do I need to keep an eye on it for e.g. system diagnostics and security?

We've already got this configured for you, and it auto-updates as well. Nothing to worry about here.

mod_security

Should I enable mod_security? I have memories of running into problems with shared hosts where mod_security was running, which makes me wary.

That's enough for now I think! Thanks to anyone who can give me some tips on these points.

This is wholly up to you. We are not able to assist in writing rules for it for you, but if you understand how it works it can be a very, very powerful system.

About the only thing I have to add is to make sure you always keep your scripts updated. Do that, combined with our default setup and the steps you've already taken and you're golden.
 
Holy speedy reply batman!

Thanks Jonathan, your answers are very reassuring that I'm on the right track.

Welcome to KnownHost!
Sounds like you've got it covered. If you wanted to go even more secure you could swap SSH away from passwords at all and use keys.

I do plan on creating SSH keys (as much as anything to save me having to copy/paste my password every time I log in!), but I did read in another thread that KH prefer that password login is left enabled in order to facilitate login by KH support staff, should it be required. Is that true?

I'm also wondering - is it advisable to implement IP whitelisting for WHM logins? I like this idea, but I notice that in WHM -> Security Center -> Configure Security Policies it states that the security policies are applied to cPanel users too. I don’t want cPanel users to have to answer security questions when they log in. As a cPanel end user I’ve never had to do that and I imagine it would be annoying and confusing for my clients...
 
I'm also wondering - is it advisable to implement IP whitelisting for WHM logins? I like this idea, but I notice that in WHM -> Security Center -> Configure Security Policies it states that the security policies are applied to cPanel users too. I don’t want cPanel users to have to answer security questions when they log in. As a cPanel end user I’ve never had to do that and I imagine it would be annoying and confusing for my clients...

It's possible to separate the policies for cPanel and WHM - you just have to define which daemon you're making the rule for. See http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/DenyAccess
 
Just my $0.02: until you make the switch to using SSH keys, you could implement IP whitelisting for SSH. You'd do this in WHM by going to
Home, Security Center, Host Access Control. I have mine setup to allow access to only a few IPs and deny all others.
 
Just my $0.02: until you make the switch to using SSH keys, you could implement IP whitelisting for SSH. You'd do this in WHM by going to
Home, Security Center, Host Access Control. I have mine setup to allow access to only a few IPs and deny all others.

I set up ssh keys already, but I dig the idea of IP whitelisting too. I have a dynamic IP address though, so if I whitelist then I run the risk of locking myself out, I think?
 
jnicol,

Yes you do run the risk of getting locked out. Not many consumers have static IP numbers, I know I don't lol
 
Top