CloudPanel is a hosting solution that can easily help you host any website on a VPS, I have created a CloudPanel Install article that will help you set it up.
In this article, we will see how we can better secure CloudPanal to limit the possibility to be hacked, it’s very important. CloudPanal has an article with best practices for CloudPanel where they are adding all you need to do, in this article and video we will go more into detail and debate everything.
How To Better Secure CloudPanel
Without making this longer let’s go and see how e can strengthen the security of CloudPanel.
1. Use an SSH Key for your VPS access
SSH is used to connect to the VPS server, there you have the most powers you can do anything. You can delete everything and even crash the server. You can connect over SSH to the VPS in 2 ways: with a username and password and with an SSH key.
Passwords can be hacked so the best way to secure any VPS will be with a key. You can create Keys in windows with the PuttyGen tool or in Mac or Linux with the below command:
ssh-keygen -t rsa
When the VPS is first created you can add the keys you want to use. But they can be activated also after if you didn’t do that.
2. Add an SSL Certificate to Admin Area
The first thing that you should do is to add an access path (subdomain) for your admin area on port 8443. For that, you need to go under Admin Area – Settings – General and add it. The DNS for the subdomain will need to point to the server IP.
3. Close the 22 port and 8443
By default, CloudPanel comes with the VM firewall activated which is good, and let’s open the access to the ports that are needed in the beginning. After you can go and deactivate the access to SSH and access to 8443. When you need SSH you can add the access back again.
You can also add your IP address from your location to be the one that can access this. In the source, you check My IP and CloudPanel will add it automatically. Just be careful in case the connection is not working in the future because the ISP provider can change it and you will need to add it again.
If the 8443 is not restricted hackers can access your admin insecure with IP:8443 if you have done step1 you don’t need this port to be opened as CloudPanel will use 443 for connection.
4. Two-Factor Authentication
For securing the CloudPanel UI you should activate the Two-factor authentication, which will enable an extra security layer that will ask you to approve the access on your phone. Google Authenticator or Duo are the supported apps. You can find out more on CloudPanel documentation but you just need to install the app and scan the QR code.
Even if this is not a security enhancement is the best way to secure CloudPanal or any other hosting panel. CloudPanel it’s offering 2 backup options out of the box:
This is working directly with the hosting provider you have chosen, that’s why when installing CloudPanel use also the hosting provider. It will allow you to create snapshots for VMS. You connect the API key and choose the automatic options: interval and retention time. These are not free and in Hetzner you will need to pay about €0.0119/GB/month (which translates into about 4.5€ for 7 snapshots at about 50 GB)
These snapshots can be restored from the cloud provider easily in the same VM or in new ones.
With the 2.0.3 CloudPanal, a new option has been added to have backups created to external sources. You can choose Dropbox, Google Drive, SFTP, or any other destination that Rclone supports. This is backing up only the files so if you want to have a full backup (database + files) you will need to create a script. This will be a discussion for another article.
6. Keep Everything Up to Date
The VM will need to be kept up to date, as a best practice at 3 months you should upgrade the packages on the server to the latest version so in case there are security vulnerabilities to mitigate them. On Ubuntu you can do this with:
sudo apt update && sudo apt upgrade -y
CloudPanel will need also to be kept up to date to benefit from the latest bug fixes, you can do this with the below command:
Before doing any update like this is mandatory that you create a VM backup so in case anything goes wrong to revert back to the original image.
7. Scan for Malware and Viruses
You should install an antivirus and have the home directory scanned daily so in case a file gets infected to be notified. CloudPanel isolates the website with different OS uses so the infection will not spread from one website to another but if a website is infected it can bring down the VM.
These scans can add load to your server when the scan is happening so I suggest testing it before on a VM clone.
There are 2 recommendations that you can install maldetect package and ClamAV, the combination between the 2 can keep you safe. This article can help you set this up, it requires more advanced sysadmin knowledge and it can discourage some.
8. Use WAF (Web Application Firewalls)
Websites hosted anywhere can be better protected with a WAF, as attacks on your domains are a common fact, some of the attacks on your sites can be for DDOS, Cross-Site Scripting, SQL Injections, or other vulnerabilities that your web server may have or application.
Placing your website behind a WAF can be done for free if you use Cloudflare, they released while back the WAF to the free accounts. Another WAF that you can use is from Securi.
CloudPanel has an integration with CloudFlare that you can use to allow traffic only from Cloudflare for websites:
Having good security is very important and if things are not done right you can regrate later one. CloudPanel can be secured quite easily if you keep track of the aspects that are in this article.
Happy hosting with CloudPanel, keep it safe!