Basic Security Setup for CentOS Web Panel
CentOS Web panel or CWP comes with so many features those usually are not included in most free hosting control panel. However some part of the features is not activated / enabled hence you’ll need to firstly activate it.
We’ve previously learned how to install CWP on your CentOS server / VPS. The next essential task you have to perform is to setup some basic security practices to secure your server. This article will show you some basic steps to add basic security layer to your server running CWP on it. You may or may not follow this tutorial but I believe adding some basic protections to your server is better than not at all.
Prerequisites
A CentOS server / VPS with CWP installed on it. For that, just in case you don’t have it yet, simply follow these steps:
- Grab a VPS with at least 512MB of RAM (Recommendation: RamNode or Digital Ocean)
- Install CWP by following my previous guide.
- Perform some basic configuration tasks.
- Grab a cup of coffee or tea if you like.
How to
A. Change Default SSH Port
This task is necessary as what I explained here.
Step 1 – Login to CWP Admin page as root via:
http://server-ip-address:2030/login.php
Step 2 – Now go to Services Config then SSH Configuration:
In the next page, scroll down till you see two blue buttons. Now click the Create File Backup button.
Step 3 – Once you’ve created the backup of SSH configuration, it’s time to adjust the settings. Fine the following line:
#port 22
Remove the # symbol and change the “22” (it is default port) to to any number between 1025 and 65536, For example is port 22000.
Now do not forget to click the Save Changes button.
B. Enable CFS Firewall
Config Server Firewall (or CSF) is a free and advanced firewall for most Linux distributions and Linux based VPS.
Step 1 – Go to Security then CSF Firewall in the left menu:
Step 2 – Click on the green Firewall Enable button to activate the service.
In the next page you’ll see a bunch of text. Shortly, it will say this:
Running /usr/local/csf/bin/csfpost.sh Starting lfd:[ OK ] csf and lfd have been enabled
Step 3 – Once activated, you can now edit few lines of CSF Configuration. Click on the Firewall Configuration button.
Step 4 – Do not forget to create a backup file by clicking the Create File Backup button.
Step 5 – Now in the next page, you’ll see many configuration lines of the Firewall and lfd service. Now add the new SSH port you’ve defined following step above.
Once done, click the Save Changes button.
FYI, services using each port are:
- Port 20: FTP data transfer
- Port 21: FTP control
- Port 22: Secure shell (SSH)
- Port 25: Simple mail transfer protocol (SMTP)
- Port 53: Domain name system (DNS)
- Port 80: Hypertext transfer protocol (HTTP)
- Port 110: Post office protocol v3 (POP3)
- Port 113: Authentication service/identification protocol
- Port 123: Network time protocol (NTP)
- Port 143: Internet message access protocol (IMAP)
- Port 443: Hypertext transfer protocol over SSL/TLS (HTTPS)
- Port 465: URL Rendesvous Directory for SSM (Cisco)
- Port 587: E-mail message submission (SMTP)
- Port 993: Internet message access protocol over SSL (IMAPS)
- Port 995: Post office protocol 3 over TLS/SSL (POP3S)
- Port 2030: CWP login page (non SSL)
- Port 2031: CWP login page (SSL)
p.s: Some additional settings you may also adjust:
ICMP_IN Setting ICMP_IN to 1 allows ping to your server and 0 refuses are such requests. If you are hosting any public services, it is recommended to allow ICMP requests, as these can be used to determine whether or not your service is available.
ICMP_IN_LIMIT Sets the number of ICMP (ping) requests allowed from one IP address within a specified amount of time. There is usually no need to change the default value (1/s)
DENY_IP_LIMIT Sets the number of blocked IP addresses CSF keeps track of. It is recommended to limit the number of denied IP addresses as having too many blocks may slow down the server performance.
DENY_TEMP_IP_LIMIT Same as above, but for temporary IP address blocks.
PACKET_FILTER Filter invalid, unwanted and illegal packets.
SYNFLOOD, SUNFLOOD_RATE and SYNFLOOD_BURST This offers protection against SYN flood attacks. This slows down the initialization of every connection, so you should enable this only if you know that your server is under attack.
PORTFLOOD Limits the number of connections per time interval that new connections can be made to specific ports.
CONNLIMIT Limits the number of concurrent active connections on port.
C. Setup Mod Security
Mod Security is basically a software acts as web application firewall. Generally saying, Mod_security is an apache module that helps to protect your website from various attacks by blocking commonly known exploits by using of regular expressions and rule sets. Known as a “Swiss Army Knife” of WAFs, it is open source and free to use. Yet, it is also necessary to install. Know more about mod_security here.
Step 1 – Go to Security then Mod Security menu:
Step 2 – By default this module is not yet installed or activated so you have to firstly install it by clicking the green button:
Step 3 – Once clicked, you’ll see a message that is saying “Running compiler in background… etc” which means the installation is started and still running in the background hence you’ll see that Mod Security and OSWAP modules are not installed. Wait a few minutes and refresh the page.
That’s it. Mod_security already includes some necessary settings by default. But however if you want to go advance, you can manually edit each configuration file and adjust the settings you want.
That’s all and thanks.
p.p.s: Have you installed CWP yet? Are you using it to host your websites? Share your experience in the comment section below.
Hello Sawiyati,
Another awesome tutorial.
Thank you.
Paul
I noticed that when i setup the security, i cannot login using SSH with the user account that i setup?
Any ideas ?
You may double-check the steps you’ve done 🙂
Hello Sawiyati,
Yes, i forgot to tick the Shell Access box.
Thank you.
Another great & usefull tutorial from Sawiyati 🙂
Appreciate if you could do a review on our company vps server one day.
GrandlineHost.
thanks for this great articles . i try to migrate my control panel from zpanel to centos-webpanel. but i found many things still error.
1. in user account cannot add domain, must in root account
2. root and user cannot import database backup to mysql it say forbidden
3. then i try to open some file which i upload it mention forbidden. is there any security issue? please advise
1. make sure the package you created for that account has ability to add new website
2. try using command line
3. make sure the file has correct permission (usually chmod 644)
The mod_security has basic security to strengthen the security system. once disable it fixed option no.3 but in the end i revert back to zpanel since i found a lot of user are still not successfully load their website. thanks sawiyati.
I’ve tried this and work flawlessly! 🙂 One thing is… i’ve noticed in your csf.conf setting still opens up port 22. If you have moved it on to port 22000, why don’t you remove the 22 (since it was not used anyway).
Nice tutorial sawiyati ! congrats! and thank you
Exactly, it is not used 🙂
Hello sawiyati,could u help me how to make subdomain placed in the front of our main domain…as a default is set to domain.com/sub/, i wanna it looks like sub.domain.com
Regards
Just create new website but instead of entering domain.com, this time just enter sub.domain.com
Hi Sawiyati even though changing the ssh to port to other than 22 i am not able to use that new port instead port 22 is still accessible what could be the problem?
you have to open that port in iptables or firewall (if any)
Explain wonderful
Hello man, I use Zimbra as a mail server, I installed CWP for me to practice but when i reboot the server zimbra begins to have problems, i think i better disable the mail part on CWP. How can i do it?
CWP is meant to be and should be installed on fresh OS with none other software installed including web server, mail server, ftp server, and so on.
ı speak englisch very bad 🙁
ı dont open Port 443:
stap bay stap ansver pleace:(
not aktivate ssl my site
then you can simply close port 443 if you feel you don’t need it 🙂
I do what you suggest on this article but i think i did a mistake.
Please help, i got internal server error on my website now :'(
Here is the scenario :
– I install mod_security on my CentOS VPS
– I can’t access PHPmyadmin and edit data on my website
– I check error_log
– It said like this :
Quote
[Sat Sep 12 11:04:12 2015] [error] [client 36.83.178.194] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?i:[\\”\\\\’][ ]*(([^a-z0-9~_:\\\\’ ])|(in)).+?\\\\(.*?\\\\))” at ARGS:msgpost. [file “/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf”] [line “506”] [id “973335”] [rev “2”] [msg “IE XSS Filters – Attack Detected.”] [data “Matched Data: \\x22. –some text on my article– …”] [ver “OWASP_CRS/2.2.9”] [maturity “8”] [accuracy “8”] [tag “OWASP_CRS/WEB_ATTACK/XSS”] [tag “WASCTC/WASC-8”] [tag “WASCTC/WASC-22”] [tag “OWASP_TOP_10/A2”] [tag “OWASP_AppSensor/IE1”] [tag “PCI/6.5.1”] [hostname “gkriexodus.org”] [uri “/admin/article_edit_check.php”] [unique_id “VfQ@6n8AAAEAAHgeEJgAAAAJ”]
– I uninstall mod_security
– Now i can’t open all my website on my server. it said internal server error.
Please help me 🙁
try fixing chmod and chown of all files and folders
i done this process but something went wrong help me.
after reboot my server no welcome message or server url not working.
Hi,
Can you please let me know how to enable the 443 port for ssl connections since the above mentioned steps are not working.
in the firewall file. should we delete port 22 if we changed it to other port like 22000 for security ?
we change the ssh port from 22 to 22000 and we leave the 22 open.
Yes we should close unused port but that’s beyond this article’s scope because I didn’t explain how to setup Firewall yet 🙂
Hi, can you tell me how i add my ip range to the cwp.admin firewall please?
hello, when the firewall is active external request become very slow, i use my website to perform domain registration request and domain availability check is very slow, any idea how to improve that ?
thank you.
may be you can just turn of the firewall tempoarily and reenable it again
As per mentioned to change the SSH along with firewall.
After doing this server become down. please suggest to resolve.
Thanks
hi,
i have change default ssh port, i have also change in allowed port, also added port in aws security panel, but i am not able to connect it.
how can we enable htaccess on centos web panel? no idea? centos 6.8 cwp
That’s really awesome, bundle of thanks for this post, its really good for newbie like me.