CSF - CongfigServer Security Firewall
CongfigServer Security Firewall is becoming an inevitable part of cPanel servers, because it empower the security layer a lot. Rather than just acting as a firewall, it also can be configured to monitor server load, emailing, processes, etc which makes it to be a good security suit for the server. It works on top of netfilter aka iptables and it makes the administration of this tool very easy for a server administrator. Additionally it has very large user base, because it is uit basically to work quite beautifully with cPanel; so support and integrity will not be a problem. With ntPGo, we tweak many values in the CSF configuration in a general basis.
Securing Apache is very important. Generally it is recommended to set everything to "PCI Compliant" in Apache Global Configuration from WHM. Additionally you should consider disabling Directory Listing, Enabling SymLink Security Patch from EasyApache ( if you do not have CloudLinux kernel is installed ) and Enabling PJP Open Base Dir Rstriction.
Rkhunter is one of the famous tool that is used to scan Rookits on the server. With ntcPGo, we will installed Rkhunter and schedule it to run a server scan every day. Rather than just setting it up, we tweak the configuration to eliminate some of the common the false positives.
Disable unwanted processes
Not all processes that are the part of OS installation is needed for a server. Every services running and available to public must be managed and updated properly, so that you should be able to close down the vulnerabilities with the specific service / package. With ntcPGo, we will disable all services, that are not commonly required for a cPanel server.
Tweaking some of the kernel variables to prevent some of the common type of attacks ( like SYNFLOOD ) is recommended. We enforce sch changes via ntcPGo
By default cPanel provides a lot of options to make it secure. Please note that no system is secure by default;it may offer provision to enforce security and it is the duty of the system administrator to implement them. Based on such a perspective, ntcPGo do many security tweaks that cPanel provides with the system. Some of them are Background process killer, Disabling compiler access, Shell Bomb-Fork protection, Enforcing SSL, etc. It also enforce minimum password strength for users, so that your customer's account will not be compromised due to weak password.
Securing FTP is very important, because your users are depending on it to upload files. Some of the security settings are disabling plain FTP login, disabling root and anonymous login, etc.
Securing DNS should be done, just to protect your server from attack like DNS amplyfying attack. Some of the common security steps are disabling recursion, hide the bind version, etc
Additional Security Tools
ntcPGo installs many additional tools which can help you to manage security layer and enforce related monitoring. We install the suits provided by CongfigServers, RFXN
Moving SSH service to a non-standard port is an important step that should take while doing cPanel security. ntcPGo will warn you if you are using default port for SSH. Additional steps that you can like disabling direct root login, reducing login grace time and possibly disabling password authentication.