Here’s a sanitized and professional version of your Server Hardening & Optimization Guide with example usernames and email:
Target OS: AlmaLinux 9.5 / CloudLinux 9.5
Control Panel: cPanel 126
🔐 SSH Configuration & Access Control
Disable Direct Root Login:
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
echo "AllowUsers adminuser supportuser" >> /etc/ssh/sshd_config
systemctl restart sshdRoot Access Procedure:
Login as adminuser, then run:
su -Emergency Access User:
adduser supportuser
passwd supportuser
usermod -aG wheel supportuser⚙️ PHP Optimization & Security
Install PHP Loaders:
WHM → EasyApache 4 → PHP Extensions
- ✅ Enable:
php-ioncube - ✅ Enable:
php-zend-guard-loader(for PHP 5.3)
Disable Dangerous PHP Functions:
WHM → MultiPHP INI Editor → Editor Mode
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,show_sourceDisable URL File Access:
allow_url_fopen = OffEnable open_basedir:
WHM → Tweak Settings → Enable open_basedir
To resolve related issues:
WHM → Security Center → PHP open_basedir Tweak
🧰 Kernel & Filesystem Hardening
Harden /tmp and /var/tmp:
dd if=/dev/zero of=/var/tmpDSK bs=1M count=1024
mkfs.ext4 /var/tmpDSK
mount -o loop,noexec,nosuid,nodev /var/tmpDSK /tmp
chmod 1777 /tmp
mount --bind /tmp /var/tmp
echo "/tmp /var/tmp none bind" >> /etc/fstab
echo "/var/tmpDSK /tmp ext4 loop,noexec,nosuid,nodev 0 0" >> /etc/fstabHarden /dev/shm:
mount -o remount,noexec,nosuid,nodev /dev/shm
echo "tmpfs /dev/shm tmpfs defaults,nosuid,noexec,nodev 0 0" >> /etc/fstab🔄 System Services & Resource Management
Install SPRI (System Priority Management):
cd /usr/local/src
wget https://download.configserver.com/spri.tgz
tar -xzf spri.tgz
cd spri
sh install.shInstall PRM (Process Resource Monitor):
cd /usr/local/src
wget https://download.configserver.com/prm.tgz
tar -xzf prm.tgz
cd prm
sh install.shInstall LSM (Login Failure Tracking):
cd /usr/local/src
wget https://download.configserver.com/lsm.tgz
tar -xzf lsm.tgz
cd lsm
sh install.sh🛡️ Security Enhancements
Install CHKRootKit:
yum install -y chkrootkit
echo "chkrootkit" >> /etc/cron.daily/chkrootkitInstall RKHunter:
yum install -y rkhunter
rkhunter --update
rkhunter --propupd
echo "rkhunter --check | mail -s 'RKHunter Scan' root" > /etc/cron.weekly/rkhunter
chmod +x /etc/cron.weekly/rkhunterHarden BIND:
Edit /etc/named.conf:
recursion no;
allow-transfer { none; };
version "not currently available";Sysctl Hardening:
Edit /etc/sysctl.conf:
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5Apply changes:
sysctl -pHarden /etc/host.conf:
order bind,hosts
nospoof onRestrict ptrace:
sysctl -w kernel.yama.ptrace_scope=2Install mod_evasive:
yum install mod_evasive
systemctl restart httpd📈 System & Network Optimizations
MySQL Tuning:
Edit /etc/my.cnf:
[mysqld]
query_cache_size = 64M
query_cache_type = 1
max_connections = 200
table_open_cache = 2048Restart MySQL:
systemctl restart mysqlApache Tuning:
WHM → Service Configuration → Apache Configuration
- Keep-Alive: On
- Timeout: 60
- MaxRequestWorkers: 256
Pure-FTPd Tuning:
WHM → FTP Server Configuration
- Idle Time: 15
- Passive Ports: 50000–51000
Optimize DNS Resolvers:
Edit /etc/resolv.conf:
nameserver 1.1.1.1
nameserver 8.8.8.8🔒 Compiler & Miscellaneous Restrictions
Disable Compiler Access:
WHM → Security Center → Compiler Access
Enable Background Process Killer:
Edit CSF config or use PRM.
Minimum Password Strength:
WHM → Security Center → Password Strength Configuration → Set to 70+
💬 Notifications & Logs
Forward Root Email:
echo "[email protected]" > /root/.forwardReduce Log Clutter:
sed -i '/blamed/d' /etc/logrotate.d/*ℹ️ Note: Some security and optimization scripts may affect compatibility with specific web applications. If issues arise, whitelist relevant functions or contact support with exact error output.