The Problem
A UAE-based web hosting company managing 200+ client sites on a dedicated cPanel/WHM server was experiencing severe performance degradation. Server load was consistently at 20-40 (on a 16-core machine) causing client sites to timeout regularly.
Investigation showed the root cause: 15,000+ daily brute force attempts against SSH (port 22) and cPanel login — consuming CPU and memory just processing the attack traffic.
Security Audit Findings
- SSH running on default port 22 — attracting automated scanners
- No CSF firewall configured — all ports open by default
- cPanel login had no rate limiting — unlimited password attempts
- PHP running as nobody — any compromised site could access other sites' files
- ModSecurity disabled — no WAF protection
- 3 compromised cPanel accounts actively sending spam
- Server not PCI compliant — client was processing card payments
Hardening Implementation
- Installed and configured CSF (ConfigServer Security Firewall) — blocked 15,000+ IPs within 24 hours
- Changed SSH to port 2299, implemented SSH key-only authentication
- Enabled cPanel login rate limiting and two-factor authentication
- Installed Imunify360 — real-time malware scanning for all hosted sites
- Configured PHP-FPM per account — each site runs as its own user
- Enabled ModSecurity with OWASP ruleset
- Cleaned 3 compromised accounts — removed malware, rotated credentials
- Configured DKIM, SPF and DMARC for all hosted domains
Results
Server load dropped from 20-40 to 0.8-2.0 within 48 hours of hardening. Brute force attacks are now blocked at firewall level before reaching application. The server achieved PCI DSS compliance — allowing the client to retain their card-processing merchants. Zero security incidents in the 8 months since hardening.