cPanel Security Features

The information that is transferred between client computers these days is ever growing more confidential; it is for this reason that cPanel provides you with many different tools to help keep your website secure, and any information that is passed between it and your visitors. cPanel is able to provide you with password protected directories, an IP deny manager, SSL/TLS certificate manager, SSH/shell access management, hot link protections, leech protection and GnuPG keys; all these tools put together give you the ability to protect directories or areas of your website which might contain sensitive information that you don’t want people without passwords to see, and the ability to keep those people with intentions of harming your website or server away from it. Most of these security tools should only be deployed in the situation when you need them; for example an IP should only be added to the IP deny manager when it is pretty obvious that the visitor at that IP address has harmful intentions for your website. Most of the listed tools are only their to give advantage to your website and the server on which you are hosted; however, there is one tool that gives benefits to both you and your visitors - these are SSL certificates. SSL certificates are basically there to ensure the information passed between your website and the client machine is secure. If you run a small static website which doesn’t receive many visitors, then the need for you to use any of these security features is fairly low; however, the opposite is appliable to larger sites which receive many visitors, this is because that if you have a larger website with more visitors, hackers, spammers and other types of malicious threat will want to take your deface your website or even take it down to cause the most inconvenience possible.

Although Linux web hosting servers are well known to be much more secure than their Windows counterparts, they still require many different levels of security to ensure that the website they run are not compromised in any way. Different technologies are implemented to ensure that the data passed between the website and client is secure, and that the data that is stored is secure as well. The following are different technologies are available for use through your cPanel control panel and ensure that your website is secure as it can possibly be; they ensure that you are able protect different areas of your website to ensure that the data stored within those areas is secure, to ensuring that other people and websites aren’t able to take all your bandwidth up easily. Other areas covered include how to ban people from your website, which can be of the utmost importance if you feel that any part of your website has been compromised in any shape or form. You might also find that one part of your website is not working for some reason, you might be finding that when you enter certain information in a text box, you are ending up back at the root of your domain; the cause of this is explained and can help relieve any frustrations that you might have over the subject.

Password Protected Directories

The password protected directory security feature that is built into cPanel allows you to password protect multiple directories within your website with multiple usernames and password; it is done via the use of the .htaccess file, and no technical work is needed on your end since all the file generating is done by cPanel - all you have to do is enter the usernames and password of the people that you want to have access to the protected directories, the good thing is that you can add, delete and edit users at any time you want through cPanel, you can even have multiple password protected directories. By password protecting certain directories of your website, you are able to store sensitive information in them which you may not want to risk storing in a regular unprotected directory which can be accessed by anyone, including spammers and hackers; you are also able to create a secure part of your website that only you have control over. You might also want to take advantage of this feature to create an area of your website that only people such staff can enter; this area could be similar to your internal intranet in the fact that you could use it to share information without having to meet a colleague face to face, which can be very time consuming. The .htaccess method of user authentication is the preferred type by some who have little technical knowledge; this is because more complicated systems that are based on programming languages such as PHP are more complicated to install since they require a database and for file permissions to be set, however, the .htaccess method of user authentication isn’t as secure as a PHP/MySQL based system since the user credentials are being stored in plain text and not in an encrypted password protected database.

IP Deny Manager

The IP deny manager built into cPanel allows you to ban the IP addresses of any visitor to your website. This security tool is useful to you if you have a suspicion that a user from a certain IP address is trying to hack, spam or harm your website in any way. This feature gives you access to control who can access your website; some web hosts do not allow access to this however, since IP banning is generally carried out either by the hosting node automatically or by firewalls that are in front of the server. Some web hosting servers will automatically block IP addresses for one reason or another; if any IP trying to access your website has been banned automatically by the main hosting server, then it should appear in your list of blocked IP addresses. You are able to block visitors either by their IP address or hostname; cPanel also gives you the option to block an entire subnet of IP addresses - this can be useful if you think that you are under attack from one subnet, or country for that matter. You are also able to delete any IP address that you have added to the block this - this is something that can be useful if you have mistakenly blocked a hostname or IP address. If you have blocked a range of IP addresses, then they will be displayed in a list being classed as ‘Beginning IP’ and ‘Ending IP’ to avoid confusion when checking which IP addresses have been blocked. You should always be careful when using the IP deny manager; this is because you could easily enter an IP address incorrectly and blocking the wrong person - you may even enter your own IP address by accident and end up blocking yourself.

SSL/TLS Manager

The purpose of the SSL/TLS manager is to allow you to control digital certificates which may be assigned to your website. It also gives you the ability to generate private keys and CSRs without any intervention from your web host to allow you to buy SSL or TLS certificates from suppliers who sell them, and if you have the appropriate knowledge you can then install them yourself. SSL and TLS certificates are used to encrypt the data that is sent between your website and the people who visit it; they are normally deployed in environments where the information exchanges between the two is highly sensitive and could cause great damage if it were to fall into the wrong hands - examples of this kind of data would be credit/debit card details as well as usernames and password for webites where personal information is stored. SSL/TLS certificate encryption can come in different levels; the main levels used by most mainstream websites are either 128bit or 256bit - the higher the number the more encrypted the exchanged information is. If you have a website where users are logging in and out all the time, and you accept online orders where customers enter their credit or debit card details, then you should consider implementing an SSL/TLS certificate if you haven’t already; the trust that your customers have in your website will also increase if you display a seal on your website from the vendor that you bought your certificate from saying that your website is secure to trade through and that any details transferred between them and your website is highly encrypted. Websites that use secure certificates can be easily identified since an ’s’ will appear after the ‘http’ in the address bar at the top of your web browser; SSL websites also generally run on port 443 through a web server. One thing to note is that SSL certificates will only run on dedicated IP addresses, which you must purchase separately from your web host; they will not run on shared IP addresses which is what you get in a normal shared website hosting environment.

Mod Security

Although not a feature built into cPanel itself, mod_security (sometimes referred to as mod_sec for short) is still a security which most web hosts deploy within a shared cPanel website hosting environment. Its main aim is to stop any malicious attacks being carried out on scripts which may be vulnerable; for example, it throws a user back to the homepage of the website if they try to enter any HTML into a regular text field. Mod_security is in place to stop attacks on programs which have known holes such as Joomla!, which is an open source CMS system used by many websites, although it is widely known that it is insecure in many areas. If you have a website or use an application which is being effected by mod_security in the form that when you try to edit any pages or post any information using regular text fields, you end up back at the root of the domain, there is a fix that you can place in your .htaccess file to ensure that the applications are still usable. Other types of PHP website application that may be affected by this include forum softwares, blog softwares and other types of application in which the data posted back to the page contains any code of sorts. Spammers and hackers are beginning to target websites even more these days, which is the reason why so many web hosts have deployed mod_security; it is able to ensure that websites can’t be compromised, and that if they are, other websites hosted on the same server as the compromised website are not affected by the hack/hijack. You should only disable mod_security in the situation that you are running an application that is being affected by it; if your website or application that you run is not being affected by it then you should leave it be since it leaves your website open for attack if you disable it without any good reason because at the end of the day, you should prefer to have a secure site rather than one which is open for easy attack. One thing to note is that your web host might not allow you to disable it because they don’t want the other websites on the same server as you to be compromised; in this case you should pack up and move to another cPanel based web host that does not use it or does use it, but at the same time allows you to disable it.

SSH/Shell Access

SSH is rarely given in a shared web hosting environment due to the attached security risks, but some web hosts including eUKhost do provide some servers which do allow customers who need SSH access the ability to use it. SSH is generally used for the transfer of files between Linux web hosting servers, although at root level it can be used to administer a server; unlike telnet, the data which is exchanged between the client machine and the server which is running SSH is normally encrypted. Those web hosts that do allow you SSH/shell access will normally provide you with an interface in cPanel which you can use to administer your SSH/shell access; you are able to modify and change private keys which are an alternative to use instead of a password when communicating through SSH since they allow automatic login; when a person is normally communicating with a Linux web hosting server via SSH, they are normally required to enter a username and password - this type of information is not needed when using a private key since that key is normally unique in some way or another - private keys are a perferred method of authentication when running scripts that require SSH access to another server. Through cPanel, you are also given the ability to import existing private keys; this function can be useful to you if you are migrating your website hosting account from another server or provider. One thing to note is that you do require a certain amount of Linux knowledge to be able to use SSH access in a shared web hostig environment effectively; you might not also be able to be granted SSH access in a shared environment because of the associated security risks, but those hosts that do provide it will normally require some sort of proof that you need it before assigning it to you.

Hot Link Protection

Hot linking is when a another person or website links directly to an image that is hosted within your web space without your knowledge or permission; hot linking can quickly use up any bandwidth assigned to your website hosting account if the image that is being hot linked is rather large in file size and if the website that is hot linking the image or file gets a lot of visitors. Images are the main type of file that are hot linked, but other file types such as video can be easily hot linked; in fact any type of file can be hot linked. By enabling hot link protection, you can ensure that any file with the extension that you have listed when enabling hot link protection will not be displayed on any website under any domain except the main domain that you have assigned to your web hosting account; if someone does hot link to the file then it just won’t be displayed on any other website - its as simple as that. You are also able to direct any request to any listed file extension on your website to another image or page; this can be helpful in the combat of hot linking since the page that you redirect people to could be one explaining why they shouldn’t hot link. If you don’t disable hot linking then you could end up having your bandwidth stolen, which is not something you want since the price of bandwidth is quite high, and if you have an option set to automatically bill you for any bandwidth overages then you could end up with a very very big bandwidth bill. The hot linking panel that is built into cPanel also gives you the option to not allow people to call any of the designated file types in a browser, meaning that they can only be called from your web pages. One thing to note is that you should be careful when choosing which file types that you don’t want to be hot linked; if you enter an extension which you didn’t mean to enter then you could end up affecting not only your website but others which might be hot linking to something within your website.

Leech Protect

Leech protect is a function that is built into cPanel to restrict a user from publicly posting their password to a restricted area of your website; it can also be put in place to stop malicious attackers such as spammers and hackers from trying to guess a the password of a username multiple times. To enable leech protection for a directory in your website, just select the ‘Leech Protect’ option from the security panel on the homepage of your cPanel control panel; you are then prompted to enter things such as how many times a user is allowed to login to a certain folder as well as the time length in which the number of times that they can login is applicable. You can also specify the page that leech users should be sent to - this page could contain a warning message telling them not to attempt such an attack again; you can also choose for an email message to be sent to you informing you of the attempted security breach on your website. You can also choose for accounts to be suspended if they breach the leech policy for whatever reason; this is a good option to protect the information for which the user account has been assigned to, since the account’s owner might have posted the password openly meaning that the information is open for many to see - but if too many people try to login to the account then it will be in breach of the leech policy, meaning the account will be suspended, safeguarding the data which it has access to. You should always set your options for leech users quite loosely since you could end up blocking out a member of your staff or someone genuine who is trying to access a protected part of your website. One thing to note though is that the leech policy that you put in place for the user accounts that have access to password protected areas of your website might affect how you are able to use the protected areas since you might be limited on how many times you can log in within a specified time period.
GnuPG Keys

GnuPG is a publicly available scheme that uses the so called ‘public key’ approach; this works in the way that a message is encrypted using the public key but can only be decrypted by using the ‘private key’ which is held by the intended recipient of the message. GnuPG keys can be helpful for you if you want to send messages or store information quickly, but still want the ability to decrypt it at a later date. You can also choose the password or private key that you want to give to the recipient of the message to allow them to decrypt the message or data when they receive it. Unlike other forms of encryption where the encryption and decryption keys used are the same, both keys that are used with GnuPG keys are different - although the encryption key will always be the same for whatever message is sent using it, the decryption key will always be whatever the maker of the message wants it to be. With the cPanel interface for GnuPG keys, you are able to specify how long the decryption key is valid for; this means that after a certain date the message will not be decryptable and therefore unreadable. You are also given the option to choose the key size that you want; the higher the key size the more encrypted the message will be, meaning that it will be more secure the bigger the key size is. cPanel also gives you the option to import existing private and public keys which can be of help to you if you are transferring your website hosting over from another provider.

Conclusion

In conclusion, cPanel provides you with a number of tools that you can use to ensure that your website is as secure as it can be. Via the use of password protected directories you can ensure that information stored in certain directories of your website is only accessible via the use of a username and password which any sensible web master would retain for themselves; however, you are given to the ability to create multiple accounts meaning that you can easily allow access for others if you want or if needs be. If your website is very informative and contains a lot of images which others may find of use, then you should ensure that you put hot link protection in place; this is because that other website owners may want to include your images within their content but don’t have the sufficient knowledge to download the image and place it in their web space - in this case, if hot link protection is not enabled and the other person’s website is a very busy one then you might find yourself with either a large bandwidth overage bill or running out of bandwidth. If you feel that visitors from a certain host name or IP address may be trying to breach the security of your website in one way or another, then you can easily ban them through the IP deny manager; you should always do this since one day they might just get lucky and manage to get through all the security that you have laid in their way. If you run an online shop or a website where the information that is exchanged between client computers and your website is of the highest confidentiality, then you should deploy an SSL certificate on a dedicated IP address; you can also display a ’sticker’ on your website that most SSl vendors supply since that could boost the confidence that customers have in your website. If you require it, then you can also use SSH access within your shared hosting environment in order to transfer files between one server and another server; you can also implement private keys in this case in scripts to enable automatic file transfer via SSH without the need for any username or password, although the information that is being exchanged is still secure. If you have implemented password protected directories within your website, then you can also put in a leech policy to ensure that if any user accounts that are used to access confidential information in your website are suspended if they are compromised in any way; if you don’t want others to see the information contained within your password protected directories then you should deploy a leech policy to protect both the user accounts that are used to access the directories as well as the information contained within the directories. Finally, you can use GnuPG keys to encrypt and decrypt messages sent between you and a friend; the messages are all encrypted using the same public key, although you have the power to specify the private key/password that may be used to decrypt the message.

Bookmark This Post: