Server Check feedback

Post Reply
adamreece-webbox
Junior Member
Posts: 8
Joined: 10 Jan 2017, 15:38

Server Check feedback

Post by adamreece-webbox »

Hello,

I'd like to provide some feedback on the Server Check feature.

I've gotten scores up to around 95+ on all our WHM servers but I feel there are some items on there that aren't really "bad" conditionally. Obviously I've just been ignoring them so far as I understand why they can be ignored, though they could mislead other people.

Server Check
  • Check for cxs: You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server
    This just appears to be an upsell attempt. With the language used "should consider" this should equally be optional to opt out.
  • Check for osm: You should consider using osm to provide protection from spammers exploiting the server
    This just appears to be an upsell attempt. With the language used "should consider" this should equally be optional to opt out.
Apache Check
  • Check apache for FileETag: You should set FileETag to None in: WHM > Apache Configuration > Global Configuration > File ETag > None
    This setting is used by browsers to make best use of their cache by purging cached files the web server is saying has since changed. It also means that end users don't need to be told to clear their cache or do a hard refresh whenever sites update front end assets that happen to have the same file name. Is there a specific reason why this should be considered insecure?
PHP Check
  • Check php version: Any version of PHP older than v7.2.* is now obsolete and should be considered a security threat.
    This doesn't appear to be working properly as it's including versions 7.2.34 and 7.3.33 in the "Affected PHP versions", which are not "older than v7.2".
WHM Settings Check
  • Check Reset Password for *: This poses a potential security risk and should be disabled unless necessary in WHM > Tweak Settings > Reset Password for *.
    This is a somewhat necessary feature for self-service account administration by customers, and allows them to get access to their account without needing to wait for a support ticket to be answered. With the language used "should consider" this should equally be optional to opt out.
  • Check cPanelID for *: You should only enable this option if you are going to use it otherwise it is a potential security risk in WHM > Manage External Authentications > *
    This can arguably be considered more secure than a simple password, as it allows customers to make use of the enhanced MFA mechanisms of say Google, Facebook, Slack, etc. With the language used "should consider" this should equally be optional to opt out.
Thanks,

Adam Reece | WebBox
Post Reply