• Services: cPanel/WHM/Webmail
  • Ports (SSL): 2083, 2087, 2096
  • Ports (Non-SSL): 2082, 2086, 2095

In WHM -> Home -> Service Configuration -> cPanel Web Services Configuration copy/paste the TLS/SSL cipher list and Protocols values from the cPanel defaults in the Apache configuration.

In WHM -> Home -> Server Configuration -> Tweak Settings -> Security check these settings:

Require SSL for cPanel Services = On

Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd = On

In WHM -> Home -> Server Configuration -> Tweak Settings -> Redirection check this setting:

Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as “Always redirect to SSL/TLS” = On

Verify that TLS 1.0 and 1.1 have been disabled
anna@xps:~$ nmap -p 2087 --script ssl-enum-ciphers

Starting Nmap 7.01 ( ) at 2018-06-23 19:54 CDT
Nmap scan report for (
Host is up (0.045s latency).
2087/tcp open  eli
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 3.51 seconds

Some additional "hardening" that may be more trouble than it's worth:

You can set up Host Access Control so that only certain IPs can access certain services.

There's also 2FA for WHM access.

If you've got the ConfigServer Firewall active (which is recommended), disable cPHulk.  Otherwise, that's another firewall option.  Which is prone to false positives, don't get upset when you trigger a cPHulk block.