cPanel Security Advisor

Version: 1.04

Important

Apache vhosts are not segmented or chroot()ed.

Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

The system kernel is at version “3.10.0-1160.90.1.el7.x86_64”, but an update is available: 3.10.0-1160.95.1.el7.x86_64

Update the system (run “yum -y update” on the command line), and reboot the system.

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

Configure bind-address=127.0.0.1 in /etc/my.cnf or use the server’s firewall to restrict access to TCP port “3306”.

PHP 7.2, PHP 7.3, and PHP 7.4 reached EOL

  • We strongly recommend that you use a version that is still supported upstream.
  • If you do continue to use it, you will be susceptible to any remaining bugs or security issues.
We recommend that you use the MultiPHP Manager interface to upgrade your domains to a supported version. Then, uninstall these versions in the EasyApache 4 interface. For more information, read PHP EOL Documentation.

Detected 1 process that is running outdated executables: 1

Reboot the server to ensure the system benefits from these updates.

Outbound SMTP connections are unrestricted.

Enable SMTP Restrictions in the “SMTP Restrictions” area

SSH password authentication is enabled.

Disable SSH password authentication in the “SSH Password Authorization Tweak” area

SSH direct root logins are permitted.

Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area

Recommendations

Information

Apache Symlink Protection: mod_ruid2 loaded in Apache

mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. Review Symlink Race Condition Protection for further information.

It may be possible to upgrade the operating system on your server to a newer major release without migrating to a new server.

Consider testing the cPanel ELevate utility to upgrade the operating system to AlmaLinux 8 before the current system reaches End of Life. For more information, see the utility’s website.

The system detected the following issues which would prevent cPanel ELevate from upgrading the system to AlmaLinux 8:

  • You have the cPanel Calendar Server installed. Upgrades with this server in place are not supported. Removal of this server can lead to data loss.
  • You are using MySQL 5.7 server. This version is not available for AlmaLinux 8. You first need to update your MySQL server to 8.0 or later. You can update to version 8.0 using the following command: /usr/local/cpanel/bin/whmapi1 start_background_mysql_upgrade version=8.0 Once the MySQL upgrade is finished, you can then retry to elevate to AlmaLinux 8.
  • System is not up to date
  • Your machine has multiple network interface cards (NICs) using kernel-names (ethX). Since the upgrade process cannot guarantee their stability after upgrade, you cannot upgrade. Please provide those interfaces new names before continuing the update.

Use Imunify360 for complete protection against attacks on your servers.

Use Imunify360 for a comprehensive suite of protection against attacks on your servers.

  • Multi-layered defense stops attacks with advanced firewall, herd immunity, Intrusion Prevention System, and more.
  • Powered by AI with advanced detection of brute force attacks, zero-day, and unknown security threats.
  • Proactive Defense™ recognizes malicious code in real-time and stops malware in its tracks.
  • Easy management right inside your WHM interface.
  • Patch Management via KernelCare and hardened PHP
  • Learn more about Imunify360
Get Imunify360 for $45.00/month.

Use ImunifyAV+ to scan for malware and clean up infected files with one click.

ImunifyAV+ brings you the advanced scanning of ImunifyAV and adds more options to make protecting servers from malicious code almost effortless. Enhanced features include:

Get ImunifyAV+ for $6.00/month.

Use KernelCare to automate kernel security updates without reboots.

KernelCare provides an easy and effortless way to ensure that your operating system uses the most up-to-date kernel without the need to reboot your server. After you purchase and install KernelCare, you can obtain and install the KernelCare “Extra” Patchset, which includes symlink protection.

Get KernelCare for $3.00/month.

Verified

cPHulk Brute Force Protection is enabled.

MySQL test database does not exist.

MySQL check for anonymous users

The system is running a supported database.

Password strength requirements are strong.

SCGI is disabled, currently using the recommended suEXEC.

The pseudo-user “nobody” is not permitted to send email.

Apache is being queried to determine the actual sender when mail originates from the “nobody” pseudo-user.

Current SSH version is up to date: 7.4p1-22.el7_9

Interface Analytics

cPanel, L.L.C. uses Interface Analytics to help us understand how our customers use cPanel & WHM. We take your privacy very seriously, and you can stop data collection at any time. Find out more about Interface Analytics.

Will you allow Interface Analytics data collection for your account?