Server Hardening Checklist for WHM/cPanel (AlmaLinux)

Copy‑paste commands and functional tests to quickly harden a WHM/cPanel server with CSF/LFD, SMTP blocking, ModSecurity and HTTPS/HSTS.

CSF/LFD Status & Health

# enable/reload
csf -e
csf -r
systemctl status lfd

# module test
perl /usr/local/csf/bin/csftest.pl

Enable SMTP Blocking (CSF)

# set values in /etc/csf/csf.conf (CLI safe replace)
perl -pi -e 's/^#?\\s*SMTP_BLOCK\\s*=.*/SMTP_BLOCK = "1"/' /etc/csf/csf.conf
perl -pi -e 's/^#?\\s*SMTP_PORTS\\s*=.*/SMTP_PORTS = "25,465,587"/' /etc/csf/csf.conf
perl -pi -e 's/^#?\\s*SMTP_ALLOWLOCAL\\s*=.*/SMTP_ALLOWLOCAL = "0"/' /etc/csf/csf.conf
perl -pi -e 's/^#?\\s*SMTP_REDIRECT\\s*=.*/SMTP_REDIRECT = "1"/' /etc/csf/csf.conf
csf -r && systemctl restart lfd

Functional SMTP Test (non‑root should fail)

dnf -y install nmap-ncat
useradd smtptest && su - smtptest
nc -vz smtp.gmail.com 587   # expect FAIL if blocking works
exit && userdel -r smtptest

ModSecurity (OWASP) in WHM

WHM → Security Center → ModSecurity™ Vendors → enable OWASP. Keep rules that mitigate common attacks.

AutoSSL + Force HTTPS/HSTS

WHM → Manage AutoSSL → run. Then set redirects and headers in .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP_HOST} ^www\\.servsecure\\.info$ [NC]
RewriteRule ^(.*)$ https://servsecure.info/$1 [R=301,L]

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/png "access plus 30 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresByType image/svg+xml "access plus 30 days"
</IfModule>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>

Downloadable Checklist

Download the PDF checklist (create a simple PDF and upload to public_html/files/).

Useful Logs

tail -f /var/log/lfd.log
journalctl -u lfd -e
/var/log/exim_mainlog

Want the quick copy‑paste block? Link back to this page as a reference.