Basic Security Setup for CentOS Web Panel
CentOS Web panel or CWP comes with so many features those usually are not included in most free hosting control panel. However some part of the features is not activated / enabled hence you’ll need to firstly activate it.
We’ve previously learned how to install CWP on your CentOS server / VPS. The next essential task you have to perform is to setup some basic security practices to secure your server. This article will show you some basic steps to add basic security layer to your server running CWP on it. You may or may not follow this tutorial but I believe adding some basic protections to your server is better than not at all.
A CentOS server / VPS with CWP installed on it. For that, just in case you don’t have it yet, simply follow these steps:
- Grab a VPS with at least 512MB of RAM (Recommendation: RamNode or Digital Ocean)
- Install CWP by following my previous guide.
- Perform some basic configuration tasks.
- Grab a cup of coffee or tea if you like.
A. Change Default SSH Port
This task is necessary as what I explained here.
Step 1 – Login to CWP Admin page as root via:
Step 2 – Now go to Services Config then SSH Configuration:
In the next page, scroll down till you see two blue buttons. Now click the Create File Backup button.
Step 3 – Once you’ve created the backup of SSH configuration, it’s time to adjust the settings. Fine the following line:
Remove the # symbol and change the “22” (it is default port) to to any number between 1025 and 65536, For example is port 22000.
Now do not forget to click the Save Changes button.
B. Enable CFS Firewall
Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS.
Step 1 – Go to Security then CSF Firewall in the left menu:
Step 2 – Click on the green Firewall Enable button to activate the service.
In the next page you’ll see a bunch of text. Shortly, it will say this:
Running /usr/local/csf/bin/csfpost.sh Starting lfd:[ OK ] csf and lfd have been enabled
Step 3 – Once activated, you can now edit few lines of CSF Configuration. Click on the Firewall Configuration button.
Step 4 – Do not forget to create a backup file by clicking the Create File Backup button.
Step 5 – Now in the next page, you’ll see many configuration lines of the Firewall and lfd service. Now add the new SSH port you’ve defined following step above.
Once done, click the Save Changes button.
FYI, services using each port are:
- Port 20: FTP data transfer
- Port 21: FTP control
- Port 22: Secure shell (SSH)
- Port 25: Simple mail transfer protocol (SMTP)
- Port 53: Domain name system (DNS)
- Port 80: Hypertext transfer protocol (HTTP)
- Port 110: Post office protocol v3 (POP3)
- Port 113: Authentication service/identification protocol
- Port 123: Network time protocol (NTP)
- Port 143: Internet message access protocol (IMAP)
- Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
- Port 465: URL Rendesvous Directory for SSM (Cisco)
- Port 587: E-mail message submission (SMTP)
- Port 993: Internet message access protocol over SSL (IMAPS)
- Port 995: Post office protocol 3 over TLS/SSL (POP3S)
- Port 2030: CWP login page (non SSL)
- Port 2031: CWP login page (SSL)
p.s: Some additional settings you may also adjust:
ICMP_IN Setting ICMP_IN to 1 allows ping to your server and 0 refuses are such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available.
ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)
DENY_IP_LIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.
DENY_TEMP_IP_LIMIT Same as above, but for temporary IP address blocks.
PACKET_FILTER Filter invalid, unwanted and illegal packets.
SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
PORTFLOOD Limits the number of connections per time interval that new connections can be made to specific ports.
CONNLIMIT Limits the number of concurrent active connections on port.
C. Setup Mod Security
Mod Security is basically a software acts as web application firewall. Generally saying, Mod_security is an apache module that helps to protect your website from various attacks by blocking commonly known exploits by using of regular expressions and rule sets. Known as a “Swiss Army Knife” of WAFs, it is open source and free to use. Yet, it is also necessary to install. Know more about mod_security here.
Step 1 – Go to Security then Mod Security menu:
Step 2 – By default this module is not yet installed or activated so you have to firstly install it by clicking the green button:
Step 3 – Once clicked, you’ll see a message that is saying “Running compiler in background… etc” which means the installation is started and still running in the background hence you’ll see that Mod Security and OSWAP modules are not installed. Wait a few minutes and refresh the page.
That’s it. Mod_security already includes some necessary settings by default. But however if you want to go advance, you can manually edit each configuration file and adjust the settings you want.
That’s all and thanks.
p.p.s: Have you installed CWP yet? Are you using it to host your websites? Share your experience in the comment section below.
Another awesome tutorial.
I noticed that when i setup the security, i cannot login using SSH with the user account that i setup?
Any ideas ?