Skip to content

Instantly share code, notes, and snippets.

@moaalaa

moaalaa/01 - Secure your new server.md

Last active December 4, 2025 16:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save moaalaa/bece1fe69e15846db8a849b9437ae22f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save moaalaa/bece1fe69e15846db8a849b9437ae22f to your computer and use it in GitHub Desktop.
Download ZIP
Secure Server And Install cPanel
Raw
01 - Secure your new server.md

Secure your new server

All our commands are for AlmaLinux 9 and Ubuntu 24.04 only

Open Your ssh and start typing the following commands

Update System

# AlmaLinux 9
dnf update

# Ubuntu 22.04
apt update

Set Time Zone

# Asia/Riyadh
# Africa/Cairo
timedatectl set-timezone 'Asia/Kuwait'

Checking timezone

date
# Mon Aug  1 12:08:29 +03 2022

Configure a Custom Hostname

hostnamectl set-hostname my-new-hostname

you must logout and login again to see updated hostname

Checking Hostname

hostname
# my-new-hostname

you must logout and login again to see updated hostname

Update Hosts file

vi /etc/hosts

Add your public ip alongside hostname after defined entries

# IPv4
...
127.0.0.1 localhost.localdomain localhost

# Add following Line
100.100.100.100 my-new-hostname.example.com my-new-hostname

# IPv6
2600:3c01::a123:b456:c789:d012 my-new-hostname.example.com my-new-hostname

Limit Users Account

Create the user, replacing example_user with your desired username

  1. Create New User and assign password

# AlmaLinux 9
useradd example_user && passwd example_user

# Ubunut 22.04
adduser example_user && passwd example_user

  1. Add the user to the wheel group for sudo privileges

# AlmaLinux 9
usermod -aG wheel example_user

# Ubunut 22.04
usermod -aG sudo example_user

  1. Add public ssh keys if want (Optional if want to use ssh keys)

# Create the .ssh directory for example_user
mkdir -p /home/example_user/.ssh
chown example_user:example_user /home/example_user/.ssh
chmod 700 /home/example_user/.ssh

# Copy the SSH public key into authorized_keys

# Example command if you have the public key ready:
echo "your-ssh-public-key-here" >> /home/example_user/.ssh/authorized_keys
# or
nano /home/example_user/.ssh/authorized_keys

# Set the correct permissions for the authorized_keys file
chmod 600 /home/example_user/.ssh/authorized_keys
chown example_user:example_user /home/example_user/.ssh/authorized_keys

  1. Logout and in as the New User

exit

  1. Logout and in as the New User

ssh example_user@192.0.2.1

  1. Try Sudo

sudo su
# [example_user@my-new-hostname #]

  1. In case sudo faild because sudoers file

    this mean the server is configred to prevent wheel group users
sudo su
# example_user is not in the sudoers file.  This incident will be reported.

  1. fix sudoers file issue by allowing the user

    You must login as root user to allow your user
# After Login as root go to sudoers users
vi /etc/sudoers
# Then add the next line after root ALL=(ALL) ALL
example_user ALL=(ALL)  ALL

  1. fix sudoers file issue by allowing wheel group or sudo group

    you must login as root user
# After Login as root go to sudoers users
vi /etc/sudoers
# In AlmaLinux 97 If the wheel group is commented remove the leading '#' to allow it or add it if not found in the file
%wheel ALL=(ALL)       ALL

# In ubunut 22.04 If the wheel group is commented remove the leading '#' to allow it or add it if not found in the file
%sudo ALL=(ALL:ALL)       ALL

  1. logout and login as example_user and try one more time step number 5

Now you can administer your Compute Instance from your new user account instead of root

Harden SSH Access

  1. You can use SSH keys if you want i will continue with password

    To create an ssh key please follow this article

  2. Disallow root logins over SSH

sudo vi /etc/ssh/sshd_config

Search for PermitRootLogin under Authentication and change to no

# Authentication:
...

# Default is PermitRootLogin yes
PermitRootLogin no

  1. Disallow all users to connect by password but only login with SSH keys

    • Search for PasswordAuthentication in the file and if not found or it was commented please add or uncomment it by removing leading # then change to no
    • Search for PubkeyAuthentication in the file and if not found or it was commented please add or uncomment it by removing leading # then change to yes
PubkeyAuthentication yes

# Default is PasswordAuthentication yes
PasswordAuthentication no

  1. Listen on only one internet protocol

    The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default, if you need both protocols leave this step if not please disable what you don't need

This does not disable the protocol system-wide, it is only for the SSH daemon

Search for AddressFamily in the file and if not found or it was commented please add or uncomment it by removing leading # then change to inet for IPv4 or inet6 for IPv6

...
# Port 22
# Default is AddressFamily any
AddressFamily inet

  1. Restart the SSH service to load the new configuration.

# AlmaLinux 9
sudo systemctl restart sshd

# Ubuntu 22.04
sudo systemctl restart ssh

  1. try login with root and it will not login again

Raw
02 - install cpanel.md

Installing cPanel

Almalinux Disable SELinux

You must disable SELinux to make your system compatible with cPanel & WHM.

nano /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Disable the OS Firewall for Ubunut

iptables-save > ~/firewall.rules
systemctl stop ufw
systemctl disable ufw

Important: Do NOT re-enable UFW or Firewalld after installation. CSF will handle all firewall rules.

iptables Blocking cPanel Ports

Ubuntu images ship with pre-configured iptables rules that block all ports except SSH, even if UFW and firewalld are disabled. This can prevent WHM/cPanel ports like 2087 from being accessible.

# Flush all iptables rules
iptables -F
iptables -X

# Flush NAT and mangle tables (optional)
iptables -t nat -F
iptables -t mangle -F

# Set default policies to ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Verify rules are cleared
iptables -L -n

Install cPanel

sudo cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest

Install CSF

To install CSF, perform the following steps:

cd /root

wget https://github.com/waytotheweb/scripts/raw/refs/heads/main/csf.tgz 

tar -xzf csf.tgz

cd csf 

./install.cpanel.sh

Enable CSF Firewall

To configure CSF, use WHM’s ConfigServer Security & Firewall interface (WHM » Home » Plugins » ConfigServer Security & Firewall). The installation script should enable the correct ports in CSF, but we recommend that you confirm this on your server.

After you configure CSF, you must disable testing mode. To take CSF out of testing mode, perform the following steps:

  1. Click Firewall Configuration.
  2. Change the value of Testing from ON to OFF.
  3. Click Change.
  4. Click Restart csf+lfd.
  5. Click Return.

CSF now controls all ports required by cPanel.

For securing server fgo to csf and run server security test and follow any recommendation

Open WHM and cPanel Ports

# Open All Recommended Ports
 /usr/local/cpanel/scripts/configure_firewall_for_cpanel
 
# Or Open Ports 2083 and 2087
sudo firewall-cmd --zone=public --add-port=2083/tcp --permanent
sudo firewall-cmd --zone=public --add-port=2087/tcp --permanent

# Reload Firewall
 sudo firewall-cmd --reload
 
# Check for port
sudo iptables-save | grep 2083
# -A IN_public_allow -p tcp -m tcp --dport 2083 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
Raw
03 - All Server Required Ports.md

cPanel Recommended Ports

PORT PROTOCOL OPEN SERVICE NOTES
20 TCP-UDP I/O-I/O FTP File transfers (data port)
21 TCP-UDP I/O-I/O FTP File transfers (control port)
22 TCP I/O SSH ssh, scp copy, sftp
25 TCP I/O SMTP Outgoing email
37 TCP O rdate Network time
43 TCP O WHOIS Domain lookup
53 TCP-UDP I/O-I/O DNS Inbound is only needed if you run public DNS server
80 TCP I/O HTTP Web server
110 TCP I/O POP3 Incoming email
113 TCP-UDP O-O Ident Client identification
123 UDP O NTP Network time
143 TCP I IMAP4 Incoming email
443 TCP I/O HTTPS Web server SSL
465 TCP I SMTP Outgoing email SSL/TLS
587 TCP I/O SMTP Outgoing email
873 TCP-UDP O-O rsync File, directory sync
993 TCP I IMAP4 Incoming email SSL
995 TCP I POP3 Incoming email SSL
2077 TCP I WebDAV Distributed authoring
2078 TCP I WebDAV Distributed authoring SSL
2082 TCP I CPanel CPanel control panel
2083 TCP I CPanel CPanel control panel SSL
2086 TCP I WHM WHM control panel
2087 TCP I WHM WHM control panel SSL
2089 TCP O CPanel CPanel licensing
2095 TCP I Webmail Web based email
2096 TCP I Webmail Web based email SSL
2703 TCP O Razor email scanning
3306 TCP I MySQL Out only if you need to connect remotely
4643 TCP I Virtuozzo control panel
6277 UDP O SpamAssassin
6666 TCP I Chat CPanel built in Java chat
Raw
04 - For Every New WHM and cPanel.sh
# WHM
1. Disable SMTP Restrictions -> security -> SMTP Restrictions
# cPanel
Raw
05 - install redis.md

Install Redis Open Source on Red Hat, CentOS, or Rocky Linux using RPM

See this page for a complete list of supported Red Hat/Rocky platforms. Follow these steps to install Redis Open Source.

Create the file /etc/yum.repos.d/redis.repo with the following contents.

vi /etc/yum.repos.d/redis.repo

For Rocky Linux 9 and AlmaLinux 9

[Redis]
name=Redis
baseurl=http://packages.redis.io/rpm/rockylinux9
enabled=1
gpgcheck=1
For Rocky Linux 8 and AlmaLinux 8

[Redis]
name=Redis
baseurl=http://packages.redis.io/rpm/rockylinux8
enabled=1
gpgcheck=1

Run the following commands:

curl -fsSL https://packages.redis.io/gpg > /tmp/redis.key
sudo rpm --import /tmp/redis.key
sudo yum install redis

Redis will not start automatically, nor will it start at boot time. To do this, run the following commands.

sudo systemctl enable redis
sudo systemctl start redis

Check if redis Installed

redis-cli ping
Raw
06 - mount new volum for project.md

You must mount the volume first as your server provided suggest for it's instructions

Let’s say your project is in /home/username, and your volume is /dev/sda. I would do this:

mv /home/username /home/username.bak
mkfs.ext4 /dev/sda #(this erases the volume, don't do this if you have data on it right now)
mkdir /home/username
mount /dev/sda /home/username
mv /home/username.bak/* /home/username

And then to top it off, if it’s /home/username because you’re working on the project while under the user “username” and not root, then:

chown -R username. /home/username

Then just keep working on your project in /home/username like nothing happened, run a “df -h” to see that /home/username now has the amount of storage of the block storage volume.

Make the mount persistent on reboot (OCI/iSCSI safe)

Recommended: use UUID instead of /dev/sdX (device names are not stable in OCI).

blkid /dev/sda
# Example output: UUID="1234-ABCD" TYPE="ext4"

# For Networked attached volumes like in Oracle Cloud via iSCSI need _netdev
echo "UUID=1234-ABCD /home/username ext4 defaults,_netdev 1 2" >> /etc/fstab

# For local attached volumes
echo "UUID=1234-ABCD /home/username ext4 defaults 1 2" >> /etc/fstab

Test

umount /home/username
mount -a
df -h /home/username

Remember that my example has the volume as /dev/sda. You can see the volumes on your machine by running “fdisk -l” and you can generally tell them apart by their stated size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment