- Services: cPanel/WHM/Webmail
- Ports (SSL): 2083, 2087, 2096
- Ports (Non-SSL): 2082, 2086, 2095
In WHM -> Home -> Service Configuration -> cPanel Web Services Configuration copy/paste the TLS/SSL cipher list and Protocols values from the cPanel defaults in the Apache configuration.
In WHM -> Home -> Server Configuration -> Tweak Settings -> Security check these settings:
Require SSL for cPanel Services = On
Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd = On
In WHM -> Home -> Server Configuration -> Tweak Settings -> Redirection check this setting:
Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” = On
Verify that TLS 1.0 and 1.1 have been disabled
anna@xps:~$ nmap miss.annahost.org -p 2087 --script ssl-enum-ciphers Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-23 19:54 CDT Nmap scan report for miss.annahost.org (220.127.116.11) Host is up (0.045s latency). PORT STATE SERVICE 2087/tcp open eli | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 3.51 seconds
Some additional “hardening” that may be more trouble than it’s worth:
You can set up Host Access Control so that only certain IPs can access certain services.
There’s also 2FA for WHM access.
If you’ve got the ConfigServer Firewall active (which is recommended), disable cPHulk. Otherwise, that’s another firewall option. Which is prone to false positives, don’t get upset when you trigger a cPHulk block.