We\u2019re focusing on server-level security, so you will need access to your server\u2019s root account, both in WHM and on the command line via SSH<\/a>.<\/p>\n\n\n\n SSH (Secure Shell) is an encrypted network protocol that keeps authentication credentials and data safe when you connect to your server\u2019s shell. The server runs an SSH service, and a client on your local device connects to it. Communication between them is encrypted so eavesdroppers can\u2019t see sensitive data traveling over the network.<\/p>\n\n\n\n The SSH service traditionally listens for connections on port 22, so bots target that port with brute-force attacks that attempt to guess a valid username and password. Even if users choose long and hard-to-guess passwords\u2014which is not always the case\u2014brute-force attacks can generate a vast number of failed login attempts that waste server resources.<\/p>\n\n\n\n Changing the port number confuses unsophisticated bots. If they can\u2019t find the port, they can\u2019t attempt to log in. A Linux server has 65535 (27<\/sup>) available ports. You should avoid 0\u20131023\u2014the so-called well-known ports, including SSH\u2019s 22\u2014but you are free to choose between 1024\u201365535.<\/p>\n\n\n\n Before you begin, be sure to configure your firewall<\/a> to allow connections on the new port. Otherwise, it will block SSH connections, and you won\u2019t be able to log in.<\/p>\n\n\n\n Log in as root with SSH and open the \/etc\/ssh\/sshd_config file in your preferred text editor.<\/p>\n\n\n\n Find the line that reads:<\/p>\n\n\n\n Delete the pound sign at the beginning of the line and change the 22 to your new port.<\/p>\n\n\n\n Save and close the SSH configuration file. Finally, restart the SSH service:<\/p>\n\n\n\n <\/p>\n\n\n\n Changing the SSH port reduces brute-force log-in attempts, but it won\u2019t stop a motivated attacker. Another way to improve SSH security avoids passwords in favor of SSH keys. SSH keys are more secure and, if password logins are disabled, they make successful brute-force attacks impossible.<\/p>\n\n\n\n SSH keys have a public and a private component. The public key is stored on the server, and the private key is stored on the client machine. Only users with the private key can log in to the relevant account. We\u2019ll focus on securing the root account with SSH keys, but site administrators and resellers can use a similar approach in cPanel<\/a>.<\/p>\n\n\n\n First, we\u2019ll generate new SSH keys for root in WHM. Log in to WHM and navigate to Manage Root\u2019s SSH Keys<\/em>.<\/p>\n\n\n\n WHM generates the public and private keys, which you can see by clicking Return to SSH Manager.<\/em> Next, we need to authorize the public key for authentication. Click Manage Authorization<\/em> and then Authorize<\/em>.<\/p>\n\n\n\n Finally, the private key should be downloaded and saved to your local computer. Click View\/Download Key<\/em>. Copy the text from the upper text box, or, if you use the PuTTY client on Windows, the PuTTY PPK format converter.<\/p>\n\n\n\n The next step differs depending on your operating system and SSH client. If you use the built-in Microsoft Windows 10 SSH client or OpenSSH on macOS or Linux, you should create a file called id_rsa.pub<\/em> and paste the private key data into it. If you gave the key a different name, you can use it instead of id_rsa<\/em> in the filename.<\/p>\n\n\n\n To make it your default private key:<\/p>\n\n\n\n Replace \u201cuser1\u201d with your username. You should now be able to connect to your server over SSH as usual, authenticating with the key rather than your password.<\/p>\n\n\n\n If you do not want to make it your default private key, save it elsewhere and specify the key when logging in.<\/p>\n\n\n\n As things stand, the root user can log in with SSH keys or a password. If you would like to force users to authenticate with keys and prevent them from using a password, enable the SSH Password Authorization Tweak<\/em> in Security Center<\/em>.<\/p>\n\n\n\n We\u2019ve locked down SSH, but there are several other services bots might target. Plus, they\u2019ll keep trying regardless of whether there is any chance of success. That\u2019s why cPanel & WHM includes cPHulk, a sophisticated brute force protection tool that monitors the cPanel, WHM, Mail, FTP, and SSH ports.You will find cPHulk in the WHM Security Center<\/em>. If it is disabled, click the switch to enable it and access the configuration interface.<\/p>\n\n\n\n We have selected sensible defaults, but you can tweak several settings for user and IP brute-force monitoring:<\/p>\n\n\n\n For example, in this image, IPs are blocked if they make more than five failed login attempts in 15 minutes.<\/p>\n\n\n\n cPHulk also includes whitelisting for IP addresses and users that should never be blocked and blacklisting for those that should always be blocked. (Note that these terms are likely to change in the future to make them more inclusive.)<\/p>\n\n\n\n cPanel Security Advisor<\/em> scans Linux servers and services for misconfigurations that could cause security vulnerabilities. It generates warnings alongside recommendations with guidance to help administrators to secure their server.<\/p>\n\n\n\n In this image, we see several important security advisories pertaining to Apache, the Linux kernel, and malware scanning. These are severe security issues that should be addressed immediately.<\/p>\n\n\n\n Other types of advisory include yellow Recommendations<\/em>, which offer helpful guidance about critical security risks that should be investigated and resolved as soon as possible. Grey Information<\/em> advisories display information about potential user-related security issues relating to file permissions and data access, as well as third-party software to enhance Linux server security. Green<\/em> advisories indicate potential security issues that have already been resolved.<\/p>\n\n\n\n cPanel & WHM includes dozens of Linux security features that empower hosting providers and server administrators to protect user data, limit the impact of malicious users, and defeat brute-force and other bad bot attacks. You can find more information in our Security Center<\/em><\/a> documentation and the following articles:<\/p>\n\n\n\n As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You\u2019ll find us on Discord<\/a>, the cPanel forums<\/a>, and Reddit<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" The internet is a hostile environment, and your web hosting servers face innumerable threats from bad actors who want to steal data and exploit server resources. CentOS is a stable and secure foundation, but it is not invulnerable. Configuration mistakes, software vulnerabilities, and poor Linux security practices can open the door to bad actors and […]<\/p>\n","protected":false},"author":77,"featured_media":65633,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[61],"tags":[],"class_list":["post-58781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tips-and-tricks"],"acf":[],"yoast_head":"\nHow To Change the SSH Port in cPanel<\/strong><\/h2>\n\n\n\n
nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n#Port 22<\/code><\/pre>\n\n\n\nPort 32356<\/code><\/pre>\n\n\n\n\/scripts\/restart_ssh<\/code><\/pre>\n\n\n\n
Be sure to take note of the port number you chose. Next time you log in to SSH, specify the port in your SSH command:<\/p>\n\n\n\nssh -p 32356 user@example.com<\/code><\/pre>\n\n\n\nHow To Use SSH Keys with the Root Account<\/strong><\/h2>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/00-cpanel-generate-ssh-keys.png\")
<\/figure>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/01-cpanel-authorize-ssh-key.png\")
<\/figure>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/02-cpanel-view-root-ssh-key.png\")
<\/figure>\n\n\n\nssh -p 32356 -i my_public_key user1@example.com<\/code><\/pre>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/03-cpanel-disable-ssh-password-auth.png\")
<\/figure>\n\n\n\nFighting Brute Force attacks with cPHulk<\/strong><\/h2>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/04-cpanel-cphulk-brute-force-protection.png\")
<\/figure>\n\n\n\n![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/05-cpanel-cphulk-ipbased-brute-force.png\")
<\/figure>\n\n\n\nFollow Linux Security Best Practices with cPanel Security Advisor<\/strong><\/h2>\n\n\n\n
![\"cPanel](\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/12\/06-cpanel-security-advisor.png\")
<\/figure>\n\n\n\nLinux Server Security with cPanel & WHM<\/strong><\/h2>\n\n\n\n