To monitor and secure cPanel on a Linux server, enable WHM service monitoring and alerts, review system and cPanel logs, keep OS/cPanel updated, enforce 2FA and cPHulk, deploy CSF/LFD firewall, activate ModSecurity with OWASP rules, scan with ImunifyAV or ClamAV, harden SSH, and maintain tested offsite backups.
Managing web servers is rewarding—but unforgiving. In this guide, you’ll learn how to monitor and secure cPanel on a Linux server using built-in WHM tools and industry-standard hardening steps. I’ll share practical steps, commands, and settings that I use when hardening client servers, so you can avoid noisy alerts, downtime, and breaches.
Primary keyword focus: how to monitor and secure cPanel on Linux server. Secondary keywords included naturally: cPanel security best practices, cPanel hardening, CSF firewall for cPanel, ModSecurity, ClamAV, cPHulk, WHM Security Center, and Imunify360.
Quick Checklist: What “Good” Looks Like
- WHM Service Monitoring and Contact Manager alerts enabled
- OS/cPanel fully updated with automatic updates
- SSH hardened (keys only, root login disabled, non-default port)
- 2FA for WHM/cPanel; cPHulk brute force protection tuned
- CSF/LFD firewall installed and in production mode
- ModSecurity with OWASP CRS enabled via EasyApache 4
- ImunifyAV/Imunify360 or ClamAV scanning scheduled
- Backups verified and stored offsite (S3/remote)
- Regular log reviews and audit tools (logwatch, rkhunter) running
Use WHM’s Built‑in Monitoring First
Before adding new tools, turn on cPanel/WHM’s native monitoring. It’s lightweight, accurate, and supported.
Enable Service Monitoring (chkservd)
WHM > Service Configuration > Service Manager lets you monitor core daemons (Exim, Dovecot, Apache, MySQL/MariaDB, DNS, cPanel services, etc.). Check “Monitor” and “Enable” for essential services. chkservd will auto-restart failed services and send alerts.
Configure Contact Manager Notifications
WHM > Contact Manager defines who receives alerts and their importance level. Add an email (and a Slack/Webhook via cPanel’s Notification Providers if available) and enable notifications for service failures, IP blocks, disk quotas, SSL renewals, and update failures.
Know Your Logs (and Check Them Fast)
When something breaks, logs tell the truth. Common paths:
- cPanel: /usr/local/cpanel/logs/access_log, error_log, login_log, cphulkd.log
- Apache: /usr/local/apache/logs/access_log, error_log
- Mail (Exim): /var/log/exim_mainlog, exim_rejectlog
- Auth/SSH: /var/log/secure (RHEL/Alma/Rocky), /var/log/auth.log (Debian/Ubuntu)
- System: /var/log/messages
# Follow key logs in real time
tail -f /usr/local/cpanel/logs/login_log /var/log/secure /usr/local/apache/logs/error_log
# Search for failed logins
grep -i "failed" /var/log/secure | tail -n 50
# Check Exim queue summary
exim -bpr | exiqsumAdd Graphs with Munin
In WHM > Plugins > Munin Node, enable graphs for CPU, RAM, load, I/O, MySQL, and Apache. Graphs help correlate spikes with log events and pinpoint bottlenecks before outages.
Patch and Update Everything
Unpatched servers are the top cause of compromises. Keep the OS, kernel, cPanel, PHP, and web stack current.
OS and Kernel Updates
Use your distro’s package manager. On AlmaLinux/Rocky/CentOS:
sudo dnf update -y
# or on older systems:
sudo yum update -yConsider KernelCare (commercial) for rebootless kernel updates—popular on production cPanel servers.
Auto‑Update cPanel & EasyApache 4
WHM > Server Configuration > Update Preferences: set cPanel Stable and enable automatic updates. In EasyApache 4, keep Apache, PHP, and extensions updated. Review PHP versions per account and set minimum supported versions.
Harden Access: SSH, Root, and WHM
Secure SSH (Keys Only, No Root Password)
Create a non‑root sudo user, use SSH keys, change the default port, and disable direct root login. Test a second session before restarting SSH.
# Create a sudo user and copy your public key
adduser adminuser
usermod -aG wheel adminuser
mkdir -p /home/adminuser/.ssh && chmod 700 /home/adminuser/.ssh
echo "ssh-ed25519 AAAA... yourkey" > /home/adminuser/.ssh/authorized_keys
chmod 600 /home/adminuser/.ssh/authorized_keys
chown -R adminuser:adminuser /home/adminuser/.ssh
# Harden sshd_config (common options)
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
sudo sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
# Restart SSH (use your new port)
sudo systemctl restart sshdRemember to open the new SSH port in your firewall (see CSF section).
Enforce 2FA for WHM & cPanel
Enable WHM > Security Center > Two‑Factor Authentication. Require it for all resellers and privileged users. 2FA blocks most credential stuffing attacks.
Enable and Tune cPHulk Brute Force Protection
WHM > Security Center > cPHulk defends SSH, WHM, and cPanel against brute force. Suggested starting point (adjust to your environment):
- Max failures by account: 10 within 900 seconds
- Max failures by IP: 20 within 3600 seconds
- Block duration: 3600–7200 seconds
- Use whitelist for your office/static IPs
Monitor /usr/local/cpanel/logs/cphulkd.log and WHM > cPHulk History Reports for false positives.
Network and Firewall Controls (CSF + LFD)
CSF (ConfigServer Security & Firewall) with LFD (Login Failure Daemon) is the de‑facto firewall on cPanel servers and integrates with WHM.
# Install CSF on RHEL/Alma/Rocky-based systems
cd /usr/src
curl -O https://download.configserver.com/csf.tgz
tar -xzf csf.tgz && cd csf
sh install.sh
perl /usr/local/csf/bin/csftest.pl # ensure required iptables modules exist
# Put CSF into production mode
sed -i 's/^TESTING = "1"/TESTING = "0"/' /etc/csf/csf.conf
sed -i 's/^RESTRICT_SYSLOG = .*/RESTRICT_SYSLOG = "3"/' /etc/csf/csf.conf
# Allow essential cPanel ports (example; adjust as needed)
csf --add && csf -r
systemctl enable --now csf lfdOpen only required ports (e.g., 22/2222, 80, 443, 2083, 2087, 2096, mail/DNS ports). Use LFD alerts to catch login abuse. Country blocking can cause false positives; prefer IP reputation lists or rate limits.
Web Application and Malware Defense
Enable ModSecurity with OWASP CRS
In WHM > EasyApache 4 > ModSecurity, enable the module and install vendor rules (OWASP Core Rule Set). Start in Detection Only to review logs, then switch to “On” and exclude rules per site if needed to prevent false positives.
Install Malware Scanning (ImunifyAV/Imunify360 or ClamAV)
ImunifyAV (free) or Imunify360 (paid) integrates with cPanel for proactive malware defense. Alternatively, ClamAV provides on‑demand scans.
# ClamAV installation on Alma/Rocky
sudo dnf install -y epel-release clamav clamav-update
sudo freshclam
sudo clamscan -r /home --infected --remove=noSchedule scans during off‑peak hours and alert on detections. For PHP-based sites, enable open_basedir and use PHP‑FPM per‑user pools to reduce cross‑account impact.
File Permissions and PHP Hardening
Use sensible defaults: files 640/644, directories 750/755, and avoid 777. In WHM > MultiPHP INI Editor, disable dangerous functions only if applications allow (e.g., exec, system). Keep each account’s software up to date (WordPress themes/plugins, etc.).
Account Isolation and Email Abuse Controls
CloudLinux and CageFS (Optional, Highly Recommended)
On shared/agency servers, CloudLinux LVE, CageFS, and PHP Selector isolate accounts and cap abusive processes. This dramatically improves stability and security posture across tenants.
Outbound Email Controls
In WHM > Tweak Settings: restrict outgoing SMTP to prevent bypassing Exim; set per‑domain/per‑hour rate limits. Enable SPF, DKIM, and DMARC to improve deliverability and reduce spoofing. Watch the Exim queue and block compromised accounts quickly.
Backups, Recovery, and Testing
Security without recovery is incomplete. If ransomware or human error strikes, backups are your lifeline.
Configure Offsite Backups
WHM > Backup Configuration: enable compressed or incremental backups, choose retention, and ship to S3, Backblaze B2, or another remote destination. Exclude heavy cache directories to save space.
Test Restores Regularly
Use WHM > Restore a Full Backup/cpmove File to test on a staging server. Verify permissions, SSL, cron, and email. A backup you haven’t tested is a backup you can’t trust.
Continuous Monitoring with Audit Tools
Augment WHM monitoring with lightweight auditors to catch anomalies early.
auditd: Track Sensitive Changes
sudo dnf install -y audit
sudo systemctl enable --now auditd
# Example: watch /etc/passwd and /etc/shadow changes
echo "-w /etc/passwd -p wa -k identity" | sudo tee -a /etc/audit/rules.d/hardening.rules
echo "-w /etc/shadow -p wa -k identity" | sudo tee -a /etc/audit/rules.d/hardening.rules
sudo augenrules --load
sudo ausearch -k identity --format textrkhunter and chkrootkit
Run rootkit scanners weekly and alert on findings.
sudo dnf install -y rkhunter chkrootkit
sudo rkhunter --update
sudo rkhunter --check --sk
sudo chkrootkitLogwatch: Human‑Readable Daily Reports
sudo dnf install -y logwatch
sudo logwatch --detail Med --mailto you@example.com --service all --range yesterdayThese reports summarize auth attempts, service errors, and anomalies in a single email you’ll actually read.
Weekly and Monthly Security Routines
- Weekly: review WHM “Security Advisor” recommendations; clear orphaned accounts, rotate API tokens; check ModSecurity hits and tune exclusions.
- Weekly: scan /home with ImunifyAV/ClamAV; review Exim queue for spam bursts.
- Monthly: verify backups restore; update PHP versions; audit SSH keys and reseller access.
- Quarterly: penetration test key sites, rotate all privileged passwords, and review firewall rules.
Common Mistakes to Avoid
- Leaving CSF in TESTING mode: switch TESTING = “0”.
- Relying on passwords for SSH: use keys and disable PasswordAuthentication.
- Not enabling 2FA: credential leaks happen; 2FA blocks most attacks.
- No offsite backups: local backups won’t help after disk failure or ransomware.
- Ignoring alerts: tune false positives; don’t disable critical notifications.
FAQs: Monitoring & Securing cPanel on Linux
What is the best firewall for cPanel?
CSF with LFD is the most widely used firewall stack for cPanel/WHM thanks to its WHM integration, sane defaults, and robust alerting. It complements cPHulk (for brute force) and works well with ModSecurity at the application layer.
How do I monitor cPanel services automatically?
Enable WHM > Service Manager to monitor and auto‑restart services via chkservd, configure alert recipients in WHM > Contact Manager, and add Munin for graphs. LFD alerts from CSF also report repeated login failures and suspicious activity.
Should I use cPHulk or Fail2ban on cPanel?
Use cPHulk on cPanel servers. It’s built‑in, supported, and protects SSH/WHM/cPanel logins. Mixing Fail2ban with cPHulk can cause conflicts and is rarely necessary when cPHulk and CSF/LFD are properly configured.
What malware scanner works best with cPanel?
ImunifyAV (free) and Imunify360 (paid) offer deep integration, real‑time protection, and automated cleanup. ClamAV is a solid free alternative for scheduled scans but is less proactive than Imunify360.
How often should I run server updates and backups?
Enable automatic cPanel updates and apply OS updates weekly (or sooner for critical patches). Run daily incremental backups with at least 7–14 days of retention, replicate offsite, and test a restore monthly.
