Quick Basic cPanel Server Security Setup - #security#cpanel #server #SSH #nftables

Quick Basic cPanel Server Security Setup - #security#cpanel #server #SSH #nftables Recommended VPS and dedicated server providers by Bizanosa : https://bizanosa.com/recommended/ Bizanosa post https://bizanosa.com/basic-whm-cpanel-server-security-setup-via-ssh/ ... HOSTING LINKS VPS SERVERS Vultr $300 credit: https://bizanosa.com/vultr Contabo: https://bizanosa.com/contabo Hetzner €20: https://bizanosa.com/hetzner Scalahosting self managed VPS: https://bizanosa.com/scala-vps-s Scalahosting Managed VPS: https://bizanosa.com/scala-vps-m DEDICATED SERVERS All Contabo AMD dedicated servers : https://bizanosa.com/contabo-AMD Contabo AMD Ryzen 12: https://bizanosa.com/AMD-Ryzen12-contabo Contabo AMD Genoa 24: https://bizanosa.com/AMD-Genoa24-contabo SHARED HOSTING Namecheap : https://bizanosa.com/nCheap Inmotion hosting : https://bizanosa.com/inmotion Spaceship : https://bizanosa.com/spaceship-hosting Scalahosting shared: https://bizanosa.com/scala-shared 1. Setting Up Firewall (NFTables) The tutorial begins with configuring a firewall using NFTables, replacing other firewalls like firewalld, iptables, and ufw. The host edits a sample NFTables configuration based on the official wiki and adds all essential cPanel and WHM ports. Ports can be separated into individual lines to enable or disable them easily by commenting or uncommenting lines. After disabling other firewalls and uninstalling them, NFTables is installed (dnf install nftables or apt install nftables), enabled, and restarted. The instructor explains how to find and edit the default NFTables config file (usually /etc/nftables.conf or as specified in the systemd service file). A custom configuration is pasted into the file, allowing cPanel, WHM, SSH, and DNS ports. Once configured, the server is rebooted and tested using nft list ruleset to confirm the firewall is active. 2. Creating a New Sudo User A new non-root administrative user is created for better security. On AlmaLinux or CentOS, the user is added to the wheel group (on Ubuntu, it would be the sudo group). The new user is tested with sudo dnf update to confirm they have proper administrative privileges. From this point, the root user is no longer used for daily operations. 3. Setting Up SSH Key Authentication On the local computer, an SSH key pair (ED25519) is generated and stored in a dedicated directory. The public key is copied to the new user’s ~/.ssh/authorized_keys file on the server. SSH login with the private key is tested successfully, confirming passwordless secure access. 4. Disabling Root Login and Password Authentication Password login and direct root login are both disabled for SSH. A custom SSH config file is created in /etc/ssh/sshd_config.d/ to contain PasswordAuthentication no, PermitRootLogin no, and Port (custom_port} (for example 6022). SSH is restarted, and access is tested. Port 22 (default) is blocked, password login is denied, and public key login via the new port works correctly. 5. Installing CrowdSec CrowdSec is installed as an intrusion prevention system, a modern alternative to Fail2Ban. Both the CrowdSec agent and the NFTables bouncer are installed to automatically block malicious IPs. The system detects installed services such as Apache, MariaDB, and Dovecot, and adds relevant protection collections. After enabling Nginx, CrowdSec is reconfigured to include it as well. Commands demonstrated include cscli bouncers list to check bouncer status, cscli decisions list to view banned IPs, and cscli decisions delete -i {IP} to unban an IP. Users are advised to check after 24 hours to see IPs automatically blocked by CrowdSec. 6. Configuring WHM Backups Inside WHM, the instructor walks through enabling and configuring server backups. Daily, weekly, or monthly backups are enabled with specific retention limits such as keeping 15 or 30 backups. Compression and disk space checks are enabled to stop backup if disk usage exceeds 90 percent. Remote backups are set up to Hetzner Storage Box or similar SFTP targets using port 22, entering hostname, username, password, and backup directory path. The configuration is saved and tested. FIVERR & UPWORK You can hire me on Fiverr or Upwork to help you sort out your web hosting and server related tasks (my new accounts): Fiverr: https://bizanosa.com/fiverr Upwork: https://bizanosa.com/upwork Please consider supporting my channel: Order services: Bizanosa WordPress Support Service : https://bizanosa.com/wordpress-support-service/ Bizanosa VPS Support service : https://bizanosa.com/web-server-services/ Donate: https://paypal.me/rwahowa https://www.buymeacoffee.com/bizanosa ****Support My Channel**** If this video was helpful to you, consider supporting my channel : https://paypal.me/rwahowa I will greatly appreciate your support. SOCIAL : Facebook : fb.com/bizanosa Website : https://bizanosa.com ...