Overview
ModSecurity is an open-source web-based firewall application (WAF) supported by different web servers like Apache, Nginx and IIS.

Usage
The module is configured to protect web applications from various attacks. ModSecurity supports flexible rule engine to perform both simple and complex operations. It comes with OWASP (Open Web Application Security Project) ModSecurity™ CRS (Core Rule Set). The OWASP ModSecurity™ CRS is a set of rules that Apache’s ModSecurity™ module can use to help protect your server. While these rules do not make your server impervious to attacks, they greatly increase the amount of protection for your web applications.

It comes with a Core Rule Set (CRS) which has various rules for:

• cross website scripting
• bad user agents
• SQL injection
• trojans
• session hijacking
• other exploits

Why should I use the OWASP ModSecurity rule set?

• Protection from insecure web application design — ModSecurity rule sets can provide a layer of protection for web applications such as WordPress, phpBB, or other types of web applications. It can potentially protect against vulnerabilities in out-of-date web applications that protect against vulnerabilities in unpatched, out-of-date applications. If the developer of an application makes a security mistake, ModSecurity may block a security attack before it can access the vulnerable application.
• Protection against operating system level attack — ModSecurity rule sets can protect against attacks that exploit the operating system of your server. For example, in 2014, there was a security flaw in the Bash shell program that Linux servers use. Security experts created ModSecurity rules to disallow the use of the exploit thought Apache. Server administrators used these ModSecurity rules and added additional security to their system until the release of a security patch for Bash shell.
• Protect against generalized malicious traffic — Some of the security threats that server administrators face may not directly attack a program or application on your server. DoS (Denial of Service) attacks, for example, are common attacks. You can reduce the impact of such malicious traffic through the use of ModSecurity rules.

What are the risks?
As with any mechanism that blocks web traffic, OWASP rules could block legitimate traffic (false positives). While both OWASP and cPanel, L.L.C. aim to curate the OWASP rule set to reduce the potential for false positives, the rule set may block legitimate traffic.

Overview
Two-factor authentication (2FA) is a security measure that requires two forms of identification. After you enter your password, you must enter a security code. An application on your smartphone supplies this code. Without your smartphone, you cannot log in.

Note:
2FA requires a smartphone with a supported time-based one-time password (TOTP) app. We suggest the following apps:

• For Android™, iOS®, and Blackberry® — Google Authenticator™
• For Android and iOS — Microsoft Authenticator

1. The Two-Factor Authentication menu can be found in the cPanel >> Security >> Two-Factor Authentication:
   
2. Go to the Two-Factor Authentication menu and click on the Set Up Two-Factor Authentication button:
   
3. Connect your cPanel to your Authenticator app.

   There are 2 ways to connect the app:

   • Automatically create the link by scanning the displayed QR code with your app
   • Manually create the link by entering the provided Account and Key information in your app
     
4. After the app is installed and connected to the cPanel, continue by entering the six-digit security code into the cPanel >> Security >> Two-Factor Authentication >> Step 2 >> Security code:

   
5. You should receive the following success message:
   
6. During the next cPanel login, after you enter your username and password, you will be redirected to the next page to enter the security code:
   

SSL (Socket Security Layer) or TLS (Transport Layer Security) is a mechanism for encrypting data, which is transferring from your computer to host or server and vice versa.

Generate Private Key

Private Key resides at your server and decrypts the incoming data coming from visitor’s device. Without Private Key, your server will not be able to decode the data sent by user. Private Key is automatically generated when generating a CSR.

To generate a Private Key, follow these steps −

Step 1 − Open cPanel SSL/TLS manager, by clicking on SSL/TLS found under the security section of cPanel.

Step 2 − In Private Keys, click on Generate, view, upload, or delete your private keys.

Step 3 − You can use Generate a New Private Key Interface to generate a new key.

Step 4 − Choose a Key Size from the dropdown menu. Provide a description which is optional, you can leave it blank.

Step 5 − Click on Generate Button to generate a new private key.

Upload a Private Key

To upload a Private Key to your server, you can use the interface below to Generate a New Key Section, which is Upload a New Private Key. Just paste your existing key into textbox and provide a description. Then click Save to import the key.

Or if you have an existing private key in ‘.key’ file, you can also import it. Just scroll down to choose a .key file under Upload a New Private Key. Browse for the file and select it. Click Upload button to Import the key into server.

Generate a CSR

CSR (Certificate Signing Request) is an encoded certificate, which CA authorities ask for when we purchase a SSL certificate from them. To issue a SSL certificate they need some additional information, which we provide in the CSR.

To generate a CSR, follow these steps below.

Step 1 − Click SSL/TLS link found under Security section of the cPanel.

Step 2 − Under Certificate Signing Request (CSR) click Generate, view, or delete SSL certificate signing requests.

Step 3 − In SSL Certificate Signing Request Interface, scroll down to see Generate a New Certificate Signing Request (CSR).

Step 4 − Choose an existing Private Key from Key dropdown. You can also choose to generate a new Private Key.

Step 5 − Enter Domains for which you want to generate CSR. You can choose a wild card domain by putting * as a subdomain. E.g. *.tutorialspoint.com.

Step 6 − Provide all necessary information in text fields like City, State, Country, Company etc.

Step 7 − Click Generate Button to generate a CSR.

Upload an SSL / TLS Certificate

If you have obtained an SSL/TLS certificate from a Trusted Certificate Provider, then you will need to upload it to your server to use it on your website.

To generate Upload a SSL/TLS certificate, follow these steps below −

Step 1 − Click on SSL/TLS link found under Security section of cPanel.

Step 2 − Under Certificates (CRT), click on Generate, view, upload, or delete SSL certificates.

Step 3 − Scroll down to Upload a New Certificate, paste your SSL/TLS code in textbox and click Save Certificate or Upload a .crt file, which will be provided by hosting provider and Click Upload Certificate.

Self–Signed Certificate

You can also use a self–signed certificate on your website too, but when somebody will open your website, it will show an error that the certificate is not form a trusted certificate provider. It is recommended that in production environment, you use a purchased SSL/TLS certificate.

To Generate a Self–signed Certificate, you can follow these steps.

Step 1 − Scroll down to Generate a New Certificate in Certificates section.

Step 2 − Choose an existing Private Key from Key dropdown, you can also choose to generate a new Private Key.

Step 3 − Enter Domains for which you want to generate CSR, you can choose a wild card domain by putting * as a subdomain. E.g. *.tutorialspoint.com.

Step 4 − Provide all necessary information in text fields like City, State, Country, Company etc.

Step 5 − Click Generate to generate a Certificate.

Installing SSL

To activate SSL/TLS certificate in your domain or Subdomains follow these steps −

If you have obtained a SSL/TLS certificate from a Trusted Certificate Provider, to use it on your website, you will need to upload it to your server.

To generate Upload a SSL/TLS certificate, follow these steps below.

Step 1 − Click SSL/TLS link found under Security section of cPanel.

Step 2 − Under Certificates (CRT), click Install and Manage SSL for your site (HTTPS).

Step 3 − In this interface, you can choose to install SSL in your website. Scroll down to install an SSL Website.

Step 4 − Choose a certificate from the installed certificates by clicking on Browse Certificates. At the same time, you can also select a Domain from the dropdown box and Click Autofill by Domain.

Step 5 − All fields of Certificates, Private Key and Certificate Authority bundle will be filled automatically.

Step 6 − Click Install Certificate button to activate the certificate for the Domain or Subdomain.

cPanel IP blocker enables you to block your website for a single IP address, domain name or a range of IP address. All those users, who will try to access your website from blocked IP addresses will not be able to access your website. You can manually deny those IP addresses, who are using your website’s bandwidth or doing malicious activity.

Deny Access to an IP Address or Domain

To deny access to a specific IP address or Domain name, follow these steps −

Step 1 − Open cPanel IP Blocker by clicking on the IP Blocker Link found under the security section of cPanel Home.

Step 2 − In Add an IP or Range, enter your IP address or Domain Name or Range.

IP address can be entered in the following formats.

• Single IP address, E.g. 192.168.0.1
• IP address Range, E.g. 192.168.0.1–192.168.0.100 or 192.168.0.1–100
• CIDR format, E.g. 192.168.0.1/32
• Using Wildcard, E.g. 192.168.*.*
• Domain Name, google.com

Step 3 − Press Add Button to block that IP address or Range to access your website.

Remove an IP from the Denied List

You can allow access to a denied IP address or Range, by following these steps −

Step 1 − Open cPanel IP Blocker by clicking on IP Blocker Link found under security section of cPanel Home.

Step 2 − Scroll down to find Currently–Blocked IP Addresses. Find the IP address or Range you want to remove, and click on Delete link.

Step 3 − It will ask you for confirmation, click on Remove IP. It will remove the IP from blocked list and will give back the permission to access your site.