Securing a Linux server is not a one-time task — it is an ongoing process. Whether you are managing a cPanel shared hosting account, a KVM VPS, or a bare-metal dedicated server, the attack surface is the same: SSH brute force, outdated software, misconfigured services, and weak passwords. This guide covers the most impactful steps you can take to dramatically reduce your server's exposure, ordered from the highest to lowest priority.
Who is this guide for? This guide is targeted at intermediate Linux users — particularly WebsNP VPS and dedicated server clients who have root access. For shared hosting clients, most of these settings are managed by WebsNP on your behalf.
1. SSH Hardening — Your First Line of Defence
SSH is the primary access method for Linux servers and the most commonly attacked service. Default SSH configuration is permissive by design — you need to lock it down.
1.1 Create a Non-Root Admin User
Never operate as root directly. Create a dedicated user with sudo privileges, then disable root SSH login entirely.
# Create a new user
useradd -m -s /bin/bash secureadmin
# Set a strong password (use a password manager!)
passwd secureadmin
# Add to sudo group (AlmaLinux/Rocky: 'wheel'; Debian/Ubuntu: 'sudo')
usermod -aG wheel secureadmin
1.2 Disable Root SSH Login & Change the Default Port
Edit your SSH daemon configuration file:
nano /etc/ssh/sshd_config
Change or add the following directives:
# Disable root login
PermitRootLogin no
# Change default port (pick any unused port between 1024–65534)
Port 2244
# Disable password authentication if using SSH keys (recommended)
PasswordAuthentication no
# Limit SSH login to specific users
AllowUsers secureadmin
# Disable legacy protocol negotiation
Protocol 2
# Reduce login grace time
LoginGraceTime 30
MaxAuthTries 3
Restart SSH to apply changes. Do NOT close your current session until you verify you can log in with the new port and user.
systemctl restart sshd
⚠️ Warning: If you change the SSH port, you must also update your firewall rules to allow the new port BEFORE restarting SSH. Failure to do so will lock you out of your server.
1.3 Use SSH Key Authentication (Recommended)
Password authentication can be brute-forced. SSH keys use cryptographic key pairs that are practically impossible to crack.
# On your LOCAL machine, generate a key pair
ssh-keygen -t ed25519 -C "your_email@example.com"
# Copy the public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub secureadmin@YOUR_SERVER_IP -p 2244
Once you confirm key-based login works, you can disable password authentication in sshd_config as shown above.
2. Firewall Configuration with firewalld or CSF
A firewall is non-negotiable. It restricts incoming and outgoing traffic to only what is explicitly needed.
2.1 Using firewalld (AlmaLinux / Rocky Linux)
# Install and enable firewalld
yum install firewalld -y
systemctl enable --now firewalld
# Allow only required services
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-port=2244/tcp # Your custom SSH port
# Block everything else by default (firewalld does this automatically)
firewall-cmd --reload
# Verify active rules
firewall-cmd --list-all
2.2 Using CSF (ConfigServer Security & Firewall) — Recommended for cPanel
CSF is the most popular firewall solution for cPanel/WHM servers. It integrates directly into WHM and provides a GUI for managing rules.
# Install CSF
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
# Test that your server meets requirements
perl /usr/local/csf/bin/csftest.pl
# Configure in WHM: Plugins > ConfigServer Security & Firewall
💡 CSF Key Settings to Configure: Set TESTING = "0" after testing to enable live mode. Configure TCP_IN to only include ports you use (80, 443, 2244, 21, 25, 110, 143, etc.). Enable LF_SSHD and LF_CPANEL for automatic brute-force blocking.
3. Fail2Ban — Automatic Brute-Force Protection
Fail2Ban monitors log files and automatically bans IP addresses that show malicious signs (too many failed login attempts) using firewall rules.
# Install Fail2Ban
yum install fail2ban -y
systemctl enable --now fail2ban
# Create a local configuration file (never edit jail.conf directly)
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
Key settings to configure in jail.local:
[DEFAULT]
bantime = 3600 # Ban for 1 hour (use 86400 for 24h bans)
findtime = 600 # Monitor 10-minute windows
maxretry = 5 # Ban after 5 failures
[sshd]
enabled = true
port = 2244 # Your custom SSH port
logpath = /var/log/secure
[cpanel]
enabled = true
port = 2082,2083,2086,2087
logpath = /usr/local/cpanel/logs/login_log
systemctl restart fail2ban
# Check banned IPs
fail2ban-client status sshd
4. Automatic Security Updates
Unpatched software is the most common cause of server compromises. Enable automatic security updates to ensure kernel patches and package updates are applied without delay.
4.1 Enable dnf-automatic (AlmaLinux / Rocky)
yum install dnf-automatic -y
# Configure to apply security updates only
nano /etc/dnf/automatic.conf
# Set: upgrade_type = security
# Set: apply_updates = yes
systemctl enable --now dnf-automatic.timer
4.2 Keep cPanel Updated
In WHM, go to Server Configuration → Update Preferences and set your cPanel tier to RELEASE or STABLE and enable automatic updates. Never run outdated cPanel versions — security patches are released regularly.
5. ModSecurity — Web Application Firewall (WAF)
ModSecurity is an Apache/Nginx module that acts as a Web Application Firewall (WAF), blocking common web-layer attacks including SQL injection, cross-site scripting (XSS), and file inclusion attacks.
5.1 Enable ModSecurity in cPanel WHM
In WHM, navigate to Security Center → ModSecurity Tools. Enable ModSecurity and install the OWASP Core Rule Set (CRS) or Comodo WAF Rules (both free). Set your initial mode to Detection Only to review what would be blocked before enforcing.
💡 Tip: After 1–2 weeks in Detection mode, review the audit log. If there are no false positives affecting your legitimate traffic, switch to On (Process Rules) to enable active blocking.
6. User Isolation with CloudLinux & CageFS
On shared hosting servers, user isolation is critical. Without it, one compromised cPanel account can potentially read files from other accounts on the same server.
CloudLinux solves this with two technologies:
- CageFS: Each cPanel user gets their own isolated virtual file system. They cannot see other users' files, running processes, or system configuration details.
- LVE (Lightweight Virtual Environment): Per-account CPU and RAM limits prevent a single account from consuming all server resources (the "noisy neighbour" problem).
WebsNP's shared hosting and reseller hosting infrastructure already runs CloudLinux with CageFS enabled by default, protecting all accounts.
7. Imunify360 — AI-Powered Malware Detection
For cPanel servers, Imunify360 by CloudLinux is the gold standard for malware detection and removal. It combines a WAF, malware scanner, patch management, and reputation-based network protection into a single suite.
- Real-time scanning of all PHP, JavaScript, and other web files for malicious patterns
- Automatic malware removal and quarantine
- Proactive Defense™ — blocks attacks in real time by monitoring PHP code execution behaviour
- KernelCare integration for live kernel patching (no reboots required for kernel updates)
All WebsNP managed dedicated server plans include Imunify360 as part of the management package.
8. Backups — Your Last Line of Defence
Even with perfect security, backups are essential. Ransomware, accidental deletion, and software bugs can all cause data loss. A backup you have not tested is not a backup.
Best Practices for Server Backups
- Follow the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 copy offsite.
- Use cPanel Backup Manager: Configure daily incremental backups to a remote FTP server or Amazon S3 bucket. Never store backups on the same server.
- Test restores monthly: A backup that cannot be restored is worthless. Schedule monthly test restores of a sample site or database.
- Retain at least 30 days: Some malware lies dormant for weeks before activating. A 7-day retention window may not be enough.
Server Security Hardening Checklist
- Created a non-root sudo user for daily administration
- Disabled root SSH login (
PermitRootLogin no)
- Changed SSH port from default 22 to a custom port
- Enabled SSH key authentication; disabled password auth
- Installed and configured a firewall (firewalld or CSF)
- Installed Fail2Ban with SSH and cPanel jails enabled
- Enabled automatic security updates (dnf-automatic)
- Enabled ModSecurity with OWASP CRS rules
- Verified CloudLinux CageFS is active (shared servers)
- Installed or requested Imunify360 (managed plans)
- Configured daily remote backups with 30-day retention
- Performed a test restore from backup within last 30 days
WebsNP Technical Team
This guide is maintained by the WebsNP server administration team. Our engineers manage hundreds of Linux servers running cPanel, Plesk, and custom configurations across our global infrastructure. Last reviewed April 2026. For server-specific security consultations, open a ticket in your client area.
Need a Fully Managed, Pre-Hardened Server?
WebsNP managed dedicated servers come with CSF, Imunify360, CloudLinux, and daily backups configured out of the box.
View Managed Hosting Plans
