Hello everyone,
I’d like to share my experience regarding the recent CyberPanel vulnerabilities in case it might be useful to others. With the RCE (Remote Code Execution) vulnerability that triggered a wave of attacks, I implemented certain security configurations that, I believe, may have helped me avoid the overloads and disruptions reported by other users. Here are the measures I set up from the start to strengthen my server’s protection.
Security Measures Implemented
-
Reverse Proxy with OpenLiteSpeed (link for tutorial) and Additional Geographic Filtering via Cloudflare
Upon installing CyberPanel, I configured a reverse proxy with OpenLiteSpeed and added Cloudflare for additional security. Through Cloudflare, I set up strict geographic filtering to allow only connections from my home country, the server’s hosting country, and the United States (required for Cloudflare services). All other traffic is blocked, reducing exposure to threats from unauthorized regions. -
Restricting Open Ports to Essentials Only
Since my server only hosts a website and a web application, I restricted open ports to:
• Ports 80 and 443 for HTTP and HTTPS traffic.
• Port 587 in TCP for outgoing email.
All other ports are blocked, which theoretically reduces the attack surface available to potential threats. -
Additional Geographic Blocking via CSF (ConfigServer Security & Firewall)
To complement Cloudflare, I used CSF to block connections from high-risk regions, setting the CC_DENY directive to further limit access attempts from specific countries. -
OpenLiteSpeed Realm Authentication for Panel Access
I configured the OpenLiteSpeed “Realm” authentication, adding an extra password prompt before accessing the management interface. This layer should limit unauthorized access attempts by adding an additional authentication step. -
SSH Security Reinforcement with Fail2Ban and a Dedicated Sudo User
I disabled direct root access for SSH, requiring a dedicated sudo user for all SSH connections. Additionally, I configured Fail2Ban to permanently ban any IP address after three failed login attempts.
This setup allowed me to collect logs revealing thousands of brute-force attempts, with numerous IPs primarily from countries such as China, India, Vietnam, Bangladesh, Brazil, and Bulgaria, though other regions were represented as well. These were the most frequently flagged sources of access attempts on my server. With Fail2Ban, all these IPs are automatically blocked and permanently banned after three failed attempts. -
Two-Factor Authentication and Robust SSH Keys
Additionally, I enabled two-factor authentication (2FA) with Google Authenticator for CyberPanel users and disabled password-based SSH access, enforcing the use of an ed25519 SSH key for enhanced connection security. -
Automatic Security Updates
I also set up automatic security updates to ensure my server remains protected against newly discovered vulnerabilities.
Results and Observations
Since implementing these measures, my server has remained stable, with no overloads or downtimes. Fail2Ban logs indicate that these protections may have worked effectively, with thousands of brute-force attacks blocked automatically after three failed attempts. Filtering through Cloudflare, CSF, and enhanced authentication appear to have helped limit unauthorized connections, contributing to my server’s stability.
Recommendations for CyberPanel Users
In the hope that this might be helpful, here are a few suggestions:
• Update CyberPanel regularly to benefit from the latest patches.
• Use a reverse proxy and geographic filtering: OpenLiteSpeed as a reverse proxy, combined with Cloudflare’s geographic blocking and CSF, can help reduce unauthorized access.
• Limit open ports to essentials and add Realm authentication on OpenLiteSpeed for added protection.
• Use sudo users, strong SSH keys, and enable two-factor authentication: These measures enhance connection security and restrict unauthorized access.
These practices seem to have effectively protected my server, and I hope they may also be useful for securing your own setup.