Your Ad can be there
+ Post New Thread
Results 1 to 1 of 1

Thread: All in one Tutorial: How to setup/install WHM server for cPanel hosting reselling

  1. #1
    Join Date
    Mar 2013

    All in one Tutorial: How to setup/install WHM server for cPanel hosting reselling

    How to setup WHM/cPanel server for hosting reselling A to Z.

    Hello, what are Your experience setting up WHM/Cpanel server?

    I will share my experience and what i tried because i did it myself and hat alot of trouble around it. It can be useful for someone or for myself when i need to repeat the process of installing WHM server from scratch. This manual can be very valuable especially for newbie admins who setup their WHM server, (you can protect your server from many hacking/low performance issues)

    What this tutorial do?
    This tutorial should help setup fully working shared hosting server based on cPanel/WHM which will allow you to automatically resell webhosting accounts . The server which wont get overloaded by abusers easily and server which support most of the website software.

    Price calculations - what you need

    You need:
    - Server from reliable company - VPS server cost from around $20 monthly and dedicated server cost around $40 monthly.
    - WHM/cPanel VPS license cost around $15 monthly. Dedi server WHM license $35 monthly
    - Domain name for your hosting website cost around $10 yearly
    - Billing system recommend WHMCS cost $15 monthly, but one can get it with an shared reseller hosting even cheaper.

    OR one can buy shared reseller cpanel hosting (see link above) and have reseller hosting + cpanel + whmcs at around $15/mo. price! In that case, this tutorial would not be needed because your provider will manage WHM server for you.

    Domain & hosting site order

    If you want to run hosting reselling business, you need domain name and a website where you introduce hosting. It can be wise to buy cheap reseller plan as linked above which includes hosting space + whmcs billing system which is frontend of your hosting website too. Then include domain name with your order. This all should cost around $15/mo. + $10 yearly domain. One need to get familiar with the billing system and the things, this takes months of time. Then when having more customers, one can continue with this tutorial and buy own server with bigger capacity.

    Server order

    Order server from reliable datacenter (servercomplete, ovh + considering Per my experience, for WHM/cPanel its recommended to have at least 2GB ram server (hosting a few cpanel accounts, to host tens of accounts, 4gb ram+, 100 accounts, 8gb ram+ and similar) with at least 15gb disk space. Operating system should be preferably CentOS 7.x 64bit or higher. 1 IPv4. 2xHDD in raid1 or 4xHDD Raid 10 for the best performance. SSD is a big plus if there is alot of accounts on the server. In case of a VPS, select KVM or XEN virtualization.

    WHM/cPanel license order

    Im using BuyCpanel, their prices and support are one of the best. License setup is instant. License IP change is free & instant.
    After order, click "Request an Installation" in client area. They usually install in a few hours and for free. So you can login WHM and start working.

    Initial WHM setup

    After login to WHM (https://yourserverip:2087), set your nameservers. I strongly recommend to set only first two. The nameservers ns1 and ns2 . These nameservers you need to register in your domain registar control panel. Ask you domain registar if you can not find how to do it. Both nameservers should point to the IP of your cPanel/WHM server.
    Home »Server Configuration »Basic cPanel & WHM Setup - and
    Home »Networking Setup »Resolver Configuration - i have google DNSs: and
    Home »Support »Configure Customer Contact

    Important Apache modules

    Various scripts need varius software to run properly. I tested that these packages are really a must or else your customers may complain some of their scripts dont work or server is slow / vulnerable.
    1. Home »Software »EasyApache (Apache Update) (or via command line, screen; /scripts/easyapache)
    2. Begin by selecting a profile to load ; Previously Saved Config ; click "Start customizing based on profile" button
    3. Next Step
    4. There i select "5.3.28 DEPRECATED" because many scripts show errors on PHP 5.4 and click "Next step"
    5. Scroll down and click "Exhaustive Options List"
    6. I made sure to have ticked these modules: Deflate, eAccelerator, Expires, MemCache, IonCube Loader for PHP, Xcache * for PHP, MySQLi, Suhosin*, Zend Guard Loader for PHP, GD, PDO, PDO MySQL, Symlink Race Condition Protection, Zip, mod qos (anti slow loris?), mod ruid2 (mod_ruid2 may not work when enabled from Tweak settings / security - show error 403 on websites but prevent symlink race condition),
    Mod Security - i highly recommend all these be enabled
    7. Save and Build (if you want to) - then it will take around 20 minutes, in meantime continue next step in a new browser window
    8. If you selected memcached in EasyApache, you need to do these steps to make it working
    9. Imagick is enhanced GD alternative and some scripts like it. To install it do linux command "/scripts/installimagemagick" and then go to WHM/Software/Module Installers/PHP Pecl (manage)/Install a PHP Pecl/imagick and "Install Now"
    10. Now if you are building Apache (see the step 6 above on this page), then i would wait untill that step 6) is done, then continue this step: apply mod_deflate rules to all website hosted on server (in case you installed Deflate in step 6. above). Mod deflate will compress content before sending it to a website visitor, saving server resources and alot of data transfer (even 70%). So go to: WHM / Service Configuration / Apache Configuration / Include Editor / Pre Virtual Host Include / All Versions and paste there mod_deflate & other caching rules:
    Header add Strict-Transport-Security "max-age=31536000"
    SSLHonorCipherOrder On
    SSLCompression off

    <IfModule mod_fcgid.c>

    FcgidMaxRequestLen 1073741824

    <IfModule mod_deflate.c>
    <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE text/plain text/html application/x-httpd-php-source
    AddOutputFilterByType DEFLATE text/xml application/xml application/xhtml+xml application/xml-dtd
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml image/svg+xml
    AddOutputFilterByType DEFLATE text/css text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE font/truetype application/x-font-ttf font/opentype application/x-font-otf

    # Website visitor internet browser should cache some website elements to prevent re-downloading from server
    # 1 YEAR
    <FilesMatch "\.(flv|ico|pdf|ttf|avi|mov|ppt|doc|mp3|wmv|wa v)$" >
    Header set Cache-Control "max-age=31536000, public"
    # 1 WEEK
    <FilesMatch "\.(jpg|jpeg|png|gif|swf|js|css)$">
    Header set Cache-Control "max-age=604800, public"
    # 3 HOUR
    <FilesMatch "\.(txt|xml)$">
    Header set Cache-Control "max-age=10800"
    # 5 MINUTES
    <FilesMatch "\.(html|htm)$">
    Header set Cache-Control "max-age=300"
    # NEVER CACHE - notice the extra directives
    <FilesMatch "\.(php|cgi|pl)$">
    Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"

    ErrorDocument 400 "400, Bad request"
    ErrorDocument 401 "401, Unauthorized"
    ErrorDocument 403 "403, Forbidden"
    ErrorDocument 404 "404, Not found"
    ErrorDocument 406 "406, Not acceptable"
    ErrorDocument 500 "500, Internal server error"

    <Directory "/">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride All

    <Directory "/usr/local/apache/htdocs">
    Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all

    # causing error 500 in Joomla site (superko)
    #<Directory "/home">
    #Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews #+SymLinksIfOwnerMatch
    #AllowOverride AuthConfig Indexes Limit Fileinfo

    # allow php files be handled by php only, so not readable as txt etc.
    <FilesMatch "\.ph(p[2-6]?|tml)$"> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
    SetHandler application/x-httpd-php5
    Then it will be applied and apache restarted. (Directory * codes should prevent some symlinking and executing cgi, security measure)
    Note: in above mentioned code, there is a directive:
    <Directory "/">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride All
    Maybe i can better protect server if i disable symlinks also in sub directories, example by duplicating above directive and applying it also to a subdirectory by using: Directory "/*" instead of Directory "/" . Anyway below in this tutorial i add symlink() php function to disable_functions so above mentioned directives regarding symlinks may be absolete thanks to that.


    After WHM was installed on my CentOS linux server, there was missing basic mysql values in /etc/my.cnf file (it is mysql configuration file). Thanks to this fact i think many mysql requests was saved to disk instead into memory which is faster. So on my server with 4Gb RAM+ is hosted around 50 websites and these are my values i set and found quite good:


    CSF Firewall

    Install ipset for much more effective blocking than just iptables:
    yum install epel-release
    yum install ipset

    Its critically important to have firewall like CSF installed on WHM hosting server. CSF (Config Server Firewall) is very handy and integrated into WHM. (Install & Readme links on the bottom of the page)
    Follow above mentioned manual, Installation page to install CSF from linux terminal (SSH).
    - test installation by running from terminal /etc/csf/ (if you get errors try reading this page) continue with firewall only if you manage to fix fatal errors.

    Then open new WHM page (https://yourserverip:2087) and refresh/reload it. At the bottom side menu, there is Plugins Section and inside is menu entry "ConfigServer Security & Firewall". Click it

    There "Quickly allow" and "Ignore" your home/office computer IP address ( to prevent it being blocked.
    Then go to (Home »Networking Setup »Resolver Configuration). Then hit "Check Server Security" button in CSF section. Fix issues according to advices.

    Then these are my customized CSF values, which i found quite good ("Firewall Configuration" button):
    TCP_IN = "20,21,25,53,80,110,143,443,465,587,953,987,993,99 5,2077,2078,2082,2083,2086,2087,2095,2096,11211,30 000:35000,8081"
    TCP_OUT = "20,21,25,37,43,53,80,110,113,443,465,587,873,953, 987,2086,2087,2089,2703,8081,11211"
    UDP_IN = "20,21,53,953"
    UDP_OUT = "20,21,53,113,123,873,953,6277"
    CONNLIMIT = 21;20,22;1,25;50,80;4,110;12,143;5,443;4,465;50,587;50,783;20,993;5,995;12,3306;25 - 4 concurrent new connections for one IP may be too low if Apache has Keep Alive Off?

    PORTFLOOD = 22;tcp;2;300,80;tcp;20;5,110;tcp;20;2,143;tcp;20;5,443;tcp;20;5,993;tcp;20;2,995;tcp;20;2
    UDPFLOOD = 1
    LF_IPSET = 1 - leave it at 0 in case yum install ipset failed/ipset is not working (ipset version)
    LF_EMAIL_ALERT = 0 - dont want to be flooded by blocked IP emails, can read logs in CSF from time to time
    LF_SSHD_PERM = 3600
    LF_FTPD_PERM = 3600
    LF_CPANEL_PERM = 3600
    LF_APACHE_404 = "350" (it may block googlebot maybe if it visits not found page too many times)
    LF_APACHE_403 = "200"
    LF_BIND = 100 (i had 60)

    LF_BIND_PERM = 3600 (i had 7200)
    LF_SCRIPT_ALERT = 1 - alert if an script sending bulk mail
    LT_POP3D = 120
    LT_IMAPD = 120
    SMTP_BLOCK = 1
    CT_LIMIT = 150 - i think important settings
    CT_BLOCK_TIME = 1000
    PT_ALL_USERS = 1 - low importance
    PT_DELETED = 0
    PT_USERMEM = 320 - send email alert if user script exceeds this memory usage
    PT_USERTIME = 120 - send email alert if user script exceeds this time usage
    PT_USERKILL = 1 - processes detected by PT_USERMEM, PT_USERTIME or PT_USERPROC are killed
    PT_LOAD_LEVEL = 20 - only alert email when server load is very high 20.00
    PT_FORKBOMB = 350 - 350 same processes is too much
    PS_EMAIL_ALERT = 0 - dont want to receive too much emails of blocked IPs due to port scan
    RT_RELAY_LIMIT = 200
    RT_RELAY_BLOCK = 3600
    SYSLOG_CHECK = 300 - ???
    PT_USERPROC = 20
    PT_USERKILL_ALERT = 0 (dont let me know once processes are killed because of high count or high ram/runtime)
    SMTP_PORTS = "25,465,587"
    SMTP_ALLOWUSER = "cpanel,usernameone,usernametwo"

    Then i choosen to ignore following processes so they are not tracked/killed by CSF. Add to /etc/csf/csf.pignore

    pcmd:/usr/bin/php /home/someuser/addon/
    pcmd:/usr/bin/wget -O /dev/null*
    pcmd:/usr/bin/php /home/.*./public_html/cron.php
    pcmd:/usr/bin/php /home/.*./public_html/wp-cron.php
    pcmd:/usr/bin/php /home/.*./public_html/.*./wp-cron.php
    cmd:/bin/sh ./mysqloptimizer
    # Some additional entries that you might want to ignore on cPanel servers.
    # However, be aware of the security implications under "Process Tracking" in
    # the csf readme.txt when using these:
    cmd:spamd child
    pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.*
    pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.*
    pcmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats\.pl.*
    pcmd:/usr/bin/perl /usr/local/cpanel/base/awstats\.pl.*
    pcmd:cpanellogd - (http|ftp) logs for .*
    pcmd:cpanellogd - archiving logs for *
    #cmd:MailWatch SQL
    #cmd:/bin/sh /usr/bin/mysqld_safe

    Also i added google IP range ( into ignore list as their IPs triggering firewall LF_BIND rule.
    One should regularly watch server log files (WHM/Plugins/ConfigServerFirewall/Watch system logs) to prevent blocking unwanted IPs (check IP details by putting it into

    The CSF can be set to block IPs listed on external IP lists. Configure these lists by clicking "lfd Blocklists" button or by editting file /etc/csf/csf.blocklists
    I came to decision to use only these lists:

    Make sure that WHM is monitoring lfd service and keep it running at all times, here are details:

    Hostname which resolves to IP

    - What is your WHM server hostname? (WHM > Home > Networking Setup > Change Hostname) Make sure that if its like "", you created "A" record in your DNS settings of your hosting account. (cPanel/xxx DNS Zone editor /) so your hostname is not non-existing, but really resolves to your server IP. Helps increase chances mails dont go to spam.

    - Also ask your server IP address provider to setup rDNS (reverse DNS) entry for your IP. (PTR record), ask them: Hello, please setup an PTR record to "my.hostname.tld" for my IP ****.

    Also make sure hostname has signed SSL installed:

    Emails are sent from domain of the script

    - Make sure all your hosted scripts like Wordpress, PHPBB, Drupal and others are sending emails from [email protected]else if you tell scripts to send mail from like [email protected], [email protected] etc., such emails can be marked as SPAM by gmail etc! The sender email address of the emails should always be one which is on the domain name where the mailing php script is hosted. (so it looks like a legitimate email)

    - Then enable so called DKIM and SPF for all cpanel acocunts to increase chances your mail is not marked as SPAM: Home / Server Configuration / Tweak Settings - Find "DKIM" and "SPF" and make it "On" by default

    Another Miscelaneous things

    -1) install DDoS Deflate and then i whitelisted localhost IP and my own IP in it:
    # cat "/usr/local/ddos/ignore.ip.list"

    0) If one is using SSD in server, one may consider enabling TRIM, disable access time loging and minimizing linux swapping

    1) Install additional usefull WHM software from ConfigServer: Example: CXS or ConfigServer Mail Queues or ConfigServer Mail Manage or ConfigServer Explorer

    2) check mod_userdir protection is enabled in WHM » Security Center » Apache Mod_userdir Tweak (important security feature)

    3) Run WHM » Security Center » Security Advisor and follow security advices

    4) setup cronjob to automatically change peprmission of the wordpress etc. database data files, command like: find /home -type f -iname "wp-config.php" -exec chmod 600 {} \; this can prevent hacker from other shared cpanel account reading wordpress etc. database data of other users.

    5) In WHM / Service Configuration / PHP Configuration / Advanced config, i have these globally disabled functions: disable_functions = "allow_url_fopen, allow_url_include, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_setenv, curl_multi_exec, diskfreespace, disk_free_space, disk_total_space, dl, enable_dl, escapeshellarg, escapeshellcmd, exec, filegetcontents, fsockopen, get_cfg_var, ignore_user_abort, link, passthru, pcntl_exec, pcntl_fork, pfsockopen, phpinfo, popen, posix_getlogin, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setuid, posix_ttyname, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_listen, source, symlink, syslog, system, system_exec, xmlrpc_decode, xmlrpc_entity_decode"
    If some account need one of these enabled, then after considering, i can allow it by adding something like:

    disable_functions = "popen"
    memory_limit = 128M
    magic_quotes_gpc = Off

    (so only that one function is disabled, rest enabled)

    into global php.ini (discover path by command: php -i | grep php.ini)
    The above code must be added to the last line of the global php.ini
    Here is more about this task:

    6) install maldet malware detector for regular scans & probably enable auto quarantine

    7) monitor your IP block (IP subnet) or just IP on which are hosted websites for new phishing/virus issues using . Monitoring can be done by tools mentioned here also theSPAM blacklists can be monitored

    8) hide BIND version number

    9) install & run rkhunter and lynis security auditing tools (try: yum install lynis rkhunter)

    10) install mod_evasive

    11) Edit default page template, suspended page template in: WHM » Account Functions » Web Template Editor

    Default Website Page template

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
    <title>Default Web Site Page</title>
    <h1><span style="color:green;">Default Web Site Page</span></h1>
    <p><strong>TIPS: If you are the web site owner, it is possible you have reached this page because:</strong></p>
    <li>The IP address has changed.</li>
    <li>There has been a server misconfiguration.</li>
    <li>The site may have been moved to a different server.</li>
    <p><strong>If you are the owner of this website and were not expecting to see this page, please contact your hosting provider thru client area and submit a ticket.</strong></p>
    <p>It may be possible to restore access to this site by <a href="" target="_blank">following these instructions</a> for clearing your dns cache.</p>

    <h2><span style="color:green;">Advertisement:</span></h2>
    <p>Join <a href="">Money Maker Forum</a></br>Join <a href="">Webmaster & Hosting Forum</a></br>Get <a href="">$0.5 hosting or a server</a></p>

    Account Suspended template:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">

    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
    <title>Account Suspended</title>
    <h1>Account Suspended</h1>
    <p>This Account Has Been Suspended temporarilly or permanently. But dont worry, this website can be put back online after contacting <a href="">hosting provider</a> and solving issue with this website.</p>
    <p>Possible reasons why you see this page: hosting invoice not paid, website violating terms of service, abuse.</p>

    12. create files that will be added into each newly created cPanel hosting account. Meaning for example: "favicon.ico", "robots.txt", "index.html". This is a directory where to add files:

    cd /root/cpanel3-skel/public_html;ls -l;
    i created robots.txt with following command:

    echo -e "User-agent: *\nCrawl-delay: 3\nDisallow: /cgi-bin/" > robots.txt
    then i uploaded this favicon into same directory:
    ( )

    13. Installing Varnish, can speed up server, but i was getting 403 errors on websites form time to time so i disabled it! Installation:How to install Varnish on an WHM/cPanel server?

    14. Install Nginx as an Apache fronend to speed up whole webserver. It is super simple with NginxCP, here is how to install it: How to install / uninstall NginxCP on an WHM server

    15. Install Mod Security according to manual: ModSecurity how to setup on WHM/cPanel server?

    16. Get alerted if mailqueue is too big and delete user emails if more than certain number: How to prevent exim mailqueue full?

    17. check apache security settings by script from
    Here is backup file:

    18. Tweak apache configuration (WHM/Service configuration/Apache configuration) and set Timeout to like 60 to prevent long running scripts.

    19. another Apache timeouting can be done by module reqtimeout, here is the tutorial

    20. make sure tmpwatch is installed (# yum install tmpwatch) and cleaning /tmp partition, make sure this is in crontab (# crontab -e):
    */20 * * * * tmpwatch --mtime --all 336 /tmp/eaccelerator >/dev/null
    0 * * * * /usr/sbin/tmpwatch --mtime --all 24 /tmp # deleting 24 hours older /tmp files

    21. after accessing http://your.whmserver.hostname/ , if there is an error 500, you can try adding following to the WHM/Service Configuration/Apache Configuration/Include Editor/Pre VirtualHost Include
    <VirtualHost YourWHMServerIPHere:80>
    ServerName YourWHMServerIPHere
    DocumentRoot /home/YourcPanelUsernameHere/public_html/SomeDir
    DirectoryIndex index.php
    ServerAdmin [email protected]

    <IfModule suphp_module>
    suPHP_UserGroup YourcPanelUsernameHere YourcPanelUsernameHere

    This will redirect all hostname/IP visitors to some webpage (php file) instead of error 500. Edit underlined text

    21. to allow people adding addon domain even these are not registered or pointing to different server, edit /var/cpanel/cpanel.config and set allowunregistereddomains to "1"

    22. disable execution of the malicious scripts in tmp directories:

    Regular security scans:

    find /home*/*/public_html -type l
    (finds symlinks in user accounts, that can be a security issue (google: whm symlink race protection)

    find . -type f -newermt 2007-06-07 ! -newermt 2007-06-08
    find files modiffied in certain date period in the past (can be handy if there was some injection or security issue and hacker might inserted malicious scripts to several places)

    find /home -type f -name "wp-config.php" -exec chmod 600 '{}' \;
    find /home -type f -name "config.php" -exec chmod 600 '{}' \;
    above 2 commands change permission of wp-config.php and config.php files (usually used for storing mysql database login credentials) in all cpanel accounts so they cant be read by other scripts on server probably (security measure).

    Transfer of existing cPanel accounts to a WHM server? this tutorial can come handy if you need to transfer exisitng cpanels to new server.
    Attached Images Attached Images  

+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 10-03-2019, 04:00 PM
  2. Replies: 3
    Last Post: 07-15-2014, 12:04 AM
  3. Replies: 0
    Last Post: 06-27-2014, 01:58 PM
  4. The best software setup for a hosting reselling?
    By Fli in forum Reseller Hosting
    Replies: 0
    Last Post: 04-04-2014, 08:37 PM
  5. Replies: 0
    Last Post: 10-31-2013, 12:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
 Protected by : ZB BLOCK  &  StopForumSpam