Security Check Advice

[hunt695]

Using CSF firewall, I'm aware it's a plugin and not a cPanel product but it suggests doing so, the question is, should I:

Mail Check

1. Check exim for secure authentication (if I require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server will they be able to connect with their accounts via insecure ports)?

PHP Check

1. Check php for enable_dl or disabled dl() (enable_dl = Off )?
2. Check php for disable_functions (disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open)?

WHM Settings Check

1. Check cPanel login is SSL only?
2. Check boxtrapper is disabled?
3. Check GreyListing is disabled?
4. Check Reset Password for cPanel accounts?
5. Check Reset Password for Subaccounts?
6. Check compilers?
7. Check proxy subdomains?
8. Check accounts that can access a cPanel user?
9. Check Referrer Blank Security?
10. Check Referrer Security?
11. Check Password ENV variable?
12. Check SMTP Restrictions?

Server Services Check

1. Check server services (disable rpcbind service)?

I'm mostly hosting Wordpress and various Laravel CMS websites, along with some static content on my cPanel/WHM VPS (with root access).
Any advice is much appreciated!

 

[cPRex]

Hey there!

For the Mail Check issue, we have "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" enabled by default on cPanel machines, so you shouldn't need to do anything there, but you can check that value in WHM >> Exim Configuration Manager.

We say this about the "enable_dl" feature in WHM >> MultiPHP INI Editor: "The default is to allow dynamic loading, except when using safe mode. This feature is deprecated, and will be removed at a future time." It's up to you if you want to disable that tool.

The disable_functions line is just a reminder for you to examine that to ensure it is setup how you want - that notice doesn't indicate any server issues.

The rest of the options are just letting you know to double-check those areas to make sure they are setup how you want. It's not saying there are any security issues present, but it's just serving as a reminder to examine those settings on the machine.

 

[hunt695]

Hey there!

For the Mail Check issue, we have "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" enabled by default on cPanel machines, so you shouldn't need to do anything there, but you can check that value in WHM >> Exim Configuration Manager.

We say this about the "enable_dl" feature in WHM >> MultiPHP INI Editor: "The default is to allow dynamic loading, except when using safe mode. This feature is deprecated, and will be removed at a future time." It's up to you if you want to disable that tool.

The disable_functions line is just a reminder for you to examine that to ensure it is setup how you want - that notice doesn't indicate any server issues.

The rest of the options are just letting you know to double-check those areas to make sure they are setup how you want. It's not saying there are any security issues present, but it's just serving as a reminder to examine those settings on the machine.

Thanks for the clarification

 

[cPRex]

Sure thing!