How to Secure CWP webserver

My cwp webserver is getting hacked , can somebody guide me to make it more secure. Thanks

Hello.

If your PHP scripts have a "holes" you can use "File System Lock" from CWP.User . This will help.
But if the root password was compromised, nothing help. Reinstall OS only.

change ports for cwp and ssh, disable pure ftp if you're not using it. rebuild Apache to latest 2.2.31. use csf and Nginx reverse proxy.

Thanks for the reply. I meant the some of the websites especially designed using wordpress are getting hacked. I am using csf but I don't know much about Ngnix.


Regards, 

nginx is more secure than apache use it as reverse proxy to handle all your legit traffic. most threats and ddos are stopped by nginx

WordPress sites are getting hacked mainly for outdated themes and plugins else the platform is secure

Thanks for the reply. Could you please guide me how to configure nginx .


Regards,

Go to apache > web server > select apache + nginx
After installing nginx the installation will ask u to rebuild vhost.

Thanks for the help

Dear Sandeep,

Do you have any idea about using letsencrpyt with CWP.


Regards,

I did play around with the letsencrypt SSL few days ago, taking me quite some times to get it installed.

First, you must make sure you have at least the Python v2.7.x or above, and also the virtualenv installed.

Install the letsencrypt.

cd /root
git clone https://github.com/letsencrypt/letsencrypt10
cd letsencrypt
./letsencrypt-auto

And if you get the following error, please refer to the link, https://www.digitalocean.com/community/tutorials/how-to-set-up-python-2-7-6-and-3-3-3-on-centos-6-4, to get the virtualenv installed.

virtualenv: command not found

In fact, I still got the error (not virtualenv error, could not remember thou) when running ./letsencrypt-auto command. So, I did in manual method to generate the SSL.

./letsencrypt-auto certonly --webroot -w /home/your_domain/public_html -d your_domain.com -d www.your_domain.com

Then,  copy the SSL into /etc/pki/tls directory.

cp -f /etc/letsencrypt/live/your_domain/cert.pem /etc/pki/tls/certs/your_domain.cert
cp -f /etc/letsencrypt/live/your_domain/fullchain.pem /etc/pki/tls/certs/your_domain.bundle
cp -f /etc/letsencrypt/live/your_domain/privkey.pem /etc/pki/tls/certs/your_domain.key

At your CWP, go to Apache settings >> SSL cert manager, on your right hand side form, choose the cert, user & enter your domain; then install SSL. Done.

Note: Make sure you have the 443 port open in firewall & listen to port 443.

You may test the score of SSL cert at https://www.ssllabs.com/ssltest.
At the beginning, I got the score C and after did some researches, I added the following lines onto this file /usr/local/apache/conf.d/vhosts-ssl.conf.

....
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
....

Restart the apache.

I got the score A now.  Hope this guide will help you. Cheer.

follow the guide posted above by infinitech07

Thank you for your insparing posts. I created an account such as cp.domain.com and followed all steps.
Now, ssl works great but i cannot reach the cwp via 2031 port.

You can check the links below;

- https://cp.domain.com:2031/ (ERR_SSL_PROTOCOL_ERROR)
- http://cp.domain.com:2031/  (NON-SECURE CONNECTION)
- http://cp.domain.com:2030/  (ANOTHER NON-SECURE CONNECTION)

My purpose to provide secure connection to cwp. Could you help me to solve this?

access
your server ip:2031

eg :
192.168.0.1:2031

https://123.123.123.123:2031  same result

I want to use a secure connection. Because of this, i created cp.domain.com account and ssl for that domain.

Let's Encyript SSL works on cp.domain.com quite well.

check the port in this file : cwp-ssl.conf it must be 2031 not 2030 or any

Location :

Code: [Select]

/usr/local/cwpsrv/conf.d/cwp-ssl.conf