Securing CloudPanel on Ubuntu 24.04 Part 1

13/11/2024 13/11/2024 security 2 mins read

Table Of Contents

Securing CloudPanel on Ubuntu 24.04: A Comprehensive Guide
Part 1: Initial Server Access and Core Configuration
1. Initial SSH Security Configuration
2. CloudPanel-Specific Firewall Rules
4. Database Security and Monitoring

Securing CloudPanel on Ubuntu 24.04: A Comprehensive Guide #

Part 1: Initial Server Access and Core Configuration #

1. Initial SSH Security Configuration

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

Add these security-focused settings:

# SSH Security Configuration
Port 2222                    # Custom SSH port
PermitRootLogin no          # Disable root login
PasswordAuthentication no   # Key-based auth only
Protocol 2                 # SSHv2 only
MaxAuthTries 3            # Limit auth attempts
ClientAliveInterval 300  # 5-min timeout
X11Forwarding no        # Disable X11 forwarding
AllowTcpForwarding no  # Disable TCP forwarding

Restart SSH:

sudo systemctl restart sshd

2. CloudPanel-Specific Firewall Rules

Configure UFW based on CloudPanel’s database structure:

# Configure UFW rules based on CloudPanel's firewall_rule table
sqlite3 /home/clp/htdocs/app/data/db.sq3 << EOF
INSERT INTO firewall_rule (created_at, updated_at, port_range, source, description)
VALUES
    (datetime('now'), datetime('now'), '8443', '0.0.0.0/0', 'CloudPanel Admin Interface'),
    (datetime('now'), datetime('now'), '80', '0.0.0.0/0', 'HTTP'),
    (datetime('now'), datetime('now'), '443', '0.0.0.0/0', 'HTTPS'),
    (datetime('now'), datetime('now'), '2222', '0.0.0.0/0', 'Custom SSH Port');
EOF

# Apply UFW rules
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 8443/tcp comment 'CloudPanel Admin'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'
sudo ufw allow 2222/tcp comment 'SSH'

4. Database Security and Monitoring

Setup database security using CloudPanel’s structure:

# Set proper permissions
sudo chown clp:clp /home/clp/htdocs/app/data/db.sq3
sudo chmod 770 /home/clp/htdocs/app/data/db.sq3

# Create automated database backup script
sudo nano /usr/local/bin/cloudpanel-db-backup.sh

#!/bin/bash

# Database backup script
CP_HOME="/home/clp"
DB_PATH="${CP_HOME}/htdocs/app/data/db.sq3"
BACKUP_DIR="${CP_HOME}/backups/database"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)

# Create backup directory
mkdir -p "$BACKUP_DIR"

# Create backup with proper permissions
sqlite3 "$DB_PATH" ".backup '${BACKUP_DIR}/db_${TIMESTAMP}.sq3'"
chmod 640 "${BACKUP_DIR}/db_${TIMESTAMP}.sq3"
chown clp:clp "${BACKUP_DIR}/db_${TIMESTAMP}.sq3"

# Keep only last 7 days of backups
find "$BACKUP_DIR" -name "db_*.sq3" -mtime +7 -delete

# Log backup event in CloudPanel's event table
sqlite3 "$DB_PATH" "
    INSERT INTO event (
        created_at,
        user_name,
        event_name,
        event_data
    ) VALUES (
        datetime('now'),
        'system',
        'database_backup',
        'Database backup created: db_${TIMESTAMP}.sq3'
    );"