Setting up a new cPanel server

1) Install Centos

2) Install cPanel

cd /home/wget
sh latest
# This will complete in 1-2hours time

3) Secure SSH Secure

vi /etc/ssh/sshd_config
# Change the port to 55000
# Make sure if you have firewall (csf) install before changing this, make sure you added 55000 into TCP_IN
# Change "UseDNS" to no.
service sshd restart

4) Recompile Apache

Go to WHM -> Software » EasyApache (Apache Update)

Upload Profile -> enter

After upload, you will see ServerFreak Config in the list. Then
compile using the same profile.

Note: my .yaml profile is built based on php 5.3

If customer need other version, reselect other php version.

5) Optimize MYSQL (5.5)
cd /etc
rm my.cnf
service mysql restart
#If MYSQL failed to start, please remove my.cnf, if might be some value not compatible
6) Edit default php.ini
vi /usr/local/lib/php.ini
#Change memory_limit to 256M
#Change post_max_size to 100M
#Change upload_max_filesize to 100M
7) Install ClamAV, go to WHM -> Manage Plugins -> clamavconnector tick and save.
8) cPanel Configuration
a) WHM -> Tweak Settings ->
Mail ->
Initial default/catch-all forwarder destination -> Set to "fail",
Max hourly emails per domain -> Set to "250",
Enable BoxTrapper spam trap -> Set to "Off"
PHP ->
cPanel PHP loader -> Select "ioncubeloader"
Security ->
Cookie IP validation -> Select "disabled"
Blank referrer safety check -> On
Referrer safety check -> On
Stats Program ->
All set to disable Except for Awstats
b) WHM -> Configure Customer Support -> Set to "disabled"
c) WHM -> Security Center ->
Apache mod_userdir Tweak -> tick "Enable mod_userdir protection" and tick "nobody"
Compiler Access -> Disable Compilers
Configure Security Policies -> tick "Password Strength" -> click on Password Strength Configuration ->Default Required Password Strength -> Set to 40
cPHulk Bruteforce Protection -> Disabled
PHP open_basedir Tweak -> Enable
Shell Fork Bomb Protection -> Enable
d) Server Contacts -> Edit System Mail Preferences -> root email set to ""
e) Server Configuration - >
Apache Configuration ->
SSL Cipher Suite -> Select "2nd" option
Trace Enable -> Off
Server Signature -> Off
Server Tokens -> Product Only
File ETag -> None
Keep Alive -> Off
FTP Configuration
Allow Anonymous Logins -> No
Allow Anonymous Uploads -> No
Allow Logins with Root Password -> No
Exim Configuration Manager
RBLS -> RBL: -> On
Security -> Scan messages for malware from authenticated senders (exiscan). -> On
Service Manager
exim on another port -> Set enabled, monitor and set 26,587
httpd -> enabled, monitor
exim -> enabled, monitor
clamd -> enabled, monitor
cpdavd -> enabled, monitor
crond -> enabled, monitor
ftpd -> enabled, monitor
imap -> enabled, monitor
mysql -> enabled, monitor
ipaliases -> enabled, monitor
pop -> enabled, monitor
spamd -> enabled, monitor
syslogd -> enabled, monitor
sshd -> enabled, monitor
f) System Health -> Background Process Killer -> Enable all
9) Install Config Server Firewall
cd ~
tar xzvf csf.tgz
cd csf*
cd ~
rm -rf csf*
go to WHM -> Plugins -> ConfigServer Security & Firewall -> Firewall Configuration -> Testing set to 0