When you manage a website, your site may come under attack from a hacker or malware that can affect your viewers.  To help identify problem sites, some anti-malware software companies have extended their protection to include websites. 

Websites that are detected to have malware or determined to be unsafe are often blocked by web protection software or search engines.  This blocking is done by a warning page or not letting you connect to that domain.  The appearance of these pages can negatively affect your website traffic.

These warnings can continue even after the problem on the site has been resolved. We will show you examples of the warnings you may see and identify the steps needed to remove these warnings from your website URL.  

• Examples of Unsafe Website Warnings
• Correct Problems on Your Website
• How to Get the Warnings Off Your Site
  • Google Search Console
  • Links to Submit Website Review

Examples of Unsafe Website Warnings

There are many brands of malware detection and prevention software.  This tutorial will focus primarily on Google, Mcafee, and Norton.  Although the warnings may appear different, their purpose and function will be similar.  The steps to remove these warnings will only vary based on who is providing the warning.  Knowing the differences between the warnings will also help you to determine where to go to have the warning removed once the issues on the site have been resolved.

Google

Google’s warning messages may vary based on the threat that they perceive.  Here are a few variations of the warnings you may see:

Malware detected on site

Deceptive site – contains links that are going to locations identified for phishing or the presence of malware.

Norton Safe Web

When you see Norton’s warnings, they will generally be labeled with their logo.

Mcafee Webadvisor

Mcafee warnings may often appear with the same symbols as Google’s warnings.  But the example below shows how the warning may differ.  

Examples of Warnings on Mobile Devices

You can also see these same messages on a mobile device.  Here are examples of how they may appear.

These warnings simply prevent you from going to a website where malware or bad links could affect the viewer.  In some cases, the messages may allow you to proceed to the unsafe site (in spite of the warning), or you may simply see a link labeled “back to safety.”

Correct the Problems on Your Website

The first step in removing the warnings from your website’s URL is understanding the problem.  You may need to remove malware or fix an issue causing the warning.

Removing the issues from your site may be as simple as uninstalling or replacing a plugin.  However, the issue can also be complicated and may require a developer to step in and take a closer look at your website code.

Sometimes, you may benefit from a backup that dates back to before your website was affected by a hack.  If that is the case, you may be able to restore the backup and then update the site with changes that may have occurred after the backup date.

For more detailed steps on removing malware, refer to this article:  Does Your Site Have Malware?

How to Get the Warnings Off your Site

Removing the warnings on your site will vary based on who is sending the message.  Check with popular services (e.g., Mcafee, Norton) to ensure your website is not listed.  

Note that in some cases, your web host service may help get your website delisted. Consult their technical support if you are unsure how to get their assistance. 

In order to remove these warnings, follow these steps:

1. Identify the problem and make sure you understand the issue.
   
   If you don’t understand the problem, your corrective action may not fix the identified problem.
   
2. Remove malware, fix links, change website coding, or remove hacks.
   
   Note that corrective action may also involve removing links in comments or actions that your website takes that violate policies (e.g., spam generation, phishing/social engineering).
   
3. Request a review or dispute the issue with the company identifying your page as “unsafe.”
   
   This may take the form of an email or online form the software company provides.  This is an example of a message I sent to Mcafee to let them know that my website was clear of issues:
   
   Hello Mcafee,
   
   I am the webmaster for the [website name].  It has been attacked, and I have had to rebuild the site.  
   
   The site has passed Google’s Search Console after being rebuilt.  I also have moved the site and added a security package to it.  Malware scans used on the site indicate that it is clean.
   
   Can you please remove our site from your blocklist?
   
   If we cannot currently be removed from the blocklist, please advise us so that we can take any necessary action to make the site safer.

You will then need to wait on the response.  If your site is cleared, double-check it through their  website checker or software to verify that it is no longer listed or deemed “unsafe.”  

They should respond with information to help guide your next steps if there is a problem. You would then need to fix that problem and re-submit a review of your site.

Google Search Console

You may have received a message indicating the problem if you are already registered with Google.  Follow these steps:

1. Log into Google Search Console.  
2. Scroll down the menu until you find Security Actions.
3. Fix the issue identified by Google.
4. Request a review of the site.

If your site has been reported through Abusive Experience, go to their page and ensure you are the registered owner and can view the report.  This will allow you to take the proper corrective action.

Links to Submit Website Review

Each vendor will have a different way of removing the warnings. Still, you can find their information by contacting them or using the following links for the three software companies we have included in this article:

• Google – Google Search Console
• Norton – Norton Safe Web
• Mcafee – Mcafee Webadvisor

Sometimes, a viewer may provide feedback about a warning page, and you may not have information about the software used. In these cases, you can still request a review and then respond via email to the company blocking your site.

Removing malware from your site may not remove the warning that a software company uses when your domain name is opened on an internet browser.  Removing your website from a blacklist or blocklist will require you to communicate with the company.  By removing your domain from these lists, you can ensure that your viewers are able to properly visit your website instead of seeing a warning page.

Monarx Security is a top-notch anti-malware solution that safeguards websites and applications developed using PHP and other programming languages. With its comprehensive threat detection and prevention system, Monarx Security provides protection against a wide range of threats like web shells, adware, phishing, mailers, and many more.

If you’re an InMotion Hosting customer, you can easily keep an eye on Monarx Security activity for free through the cPanel or WHM interface. However, it’s worth noting that currently, Monarx Security is only available for Shared Hosting plans.

Wondering what exactly Monarx Security does? Keep reading to find out!

• What is Monarx Security?
  • What is a Web Shell?
• How to Access Monarx
  • cPanel
  • WHM
• Monarx Dashboard
• Submit File for Review
• cPanel Security

What is Monarx Security?

Monarx is a unique type of next-generation web firewall (NGFW). It is focused more on the behavior of PHP code, not just how it looks or its signature, both of which can be obfuscated (e.g. polymorphic viruses). This mitigates the possibility of files being falsely marked as malicious, which can lead to issues in clean websites, and decreases the amount of time required to detect zero-day vulnerabilities.

Monarx consists of four main components:

• Protect – tracks web shell payload deposits and blocks execution
• Hunter – scanning module that finds existing issues
• Dashboard – web-based console for viewing detection
• Agent – a server-side agent that runs Monarx modules and manages detection information configured and sent to the Monarx Cloud.

Here’s how the actual process works.

1. Install Monarx Security on the hosting server. The agent consists of two modules. Protect tracks and blocks execution of web shell payloads. Hunter runs full and real-time scans for compromised source binaries and web shells weekly.
2. The Monarx agent downloads security rules related to web apps and content management systems (CMS).
3. Files that are flagged as malicious by the Monarx agent are automatically processed per security rules and sent to the Monarx Cloud for further analysis. This helps to preserve resource demands on the server.
4. PHP-based web shells/backdoors are blocked from executing, a technique they dubbed “post-exploit payload prevention.”
5. Our system administrators are able to use the Monarx API for greater Security Information and Event Management (SIEM) across all shared hosting accounts to better detect code injection and similar attacks.

As you can see, this software-as-a-service (SaaS) does a lot in the background that isn’t common with other web application firewalls (WAF). The best part about it: you can check Monarx activity in cPanel but don’t have to configure anything. Just know that it’s there.

What is a Web Shell?

A web shell is malicious software used to access a system remotely without authorization. Web shells are a major threat because they’re hard to detect while allowing hackers administrative access to do whatever they please, such as:

• Website defacement attacks
• Distributed denial of service (DDoS) attacks
• Privilege escalation to access restricted services
• Anything else an authorized root user can do

There are three types of web shells:

• Bind shell: the victim’s system is infected to listen on a specific port (a standard backdoor)
• Reverse shell (connect-back shell): the system is infected to actively seek a connection to the cyber attacker’s local machine or command and control (C2) system
• Double reverse shell: a reserve shell where the target machine uses separate ports for input and output

The typical steps an attacker takes to accomplish this are as follows:

1. Exploit a vulnerability to upload a web shell (payload) to a target machine
2. Move the web shell to a more accessible public directory
3. Access the web shell to upload or modify files

In summary, preventing web shell execution reduces the possibility of manipulating your website for crypto mining, spamming, and other malicious purposes. 

How to Access Monarx

Monarx has no control interface in either the WHM or cPanel.  You can access a dashboard when it is present and running on the server. You can see the verification that Monarx is running and a report if malware is detected.

cPanel Access

Here are the steps you must follow to access Monarx through cPanel:

1. Log into cPanel
2. Select Monarx Security under Security
3. Refresh the page if you see the following message: “Monarx is still attempting to provision your account. Please refresh the page. If the problem persists, check back later.”

WHM Access

For WHM, you can access Monarx by searching for it through the web interface:

1. Log into WHM
2. Use the Search field and type in “Monarx.”
3. Monarx Security will appear in the left-hand column. Click on it to open the dashboard.

The dashboard you see in WHM will be the same as the one in cPanel that is displayed in the screenshots below.

Monarx Dashboard

Normally, the Monarx dashboard will state that “you’re protected” and “your site is free of malware!” If not, contact Live Technical Support. On the right side is a list of what types of malware Monarx fights automatically:

• Uploader access to your server
• Web shells that enable advanced persistent threat (APT)
• Phishing and cybersquatting sites injected into your server
• Mailer applications for spoofing your email accounts
• Adware scripts embedded into your site
• Other malware that can infect users that visit your site

Select the “Details” tab to view files on your cPanel server marked as suspicious.

• Date and time discovered
• Absolute file path
• Classification (malicious or compromised/infected)
• Status of the file (quarantined, blocked from executing, cleaned of malware, or logging for further action)
• Type

Submit File for Review

There is one interactive feature for end users at this time. If at any point you find that a compromised file was incorrectly marked as clean by Monarx, you can submit the file for further review. Follow these steps:

1. Log into cPanel Terminal or SSH using a terminal client of your choice.
2. Use the following command (replace “filename” with the actual file name):
   
   monarx-sample-upload filename
   

Contact Live Technical Support for further assistance.

Monarx software captures further information related to malware detected, including: 

• File SHA-256 checksum or stronger
• IP address and country of origin
• Affected web applications (e.g. CMS plugins and themes)

The “Help” section includes additional information on the Monarx cPanel interface and malware in general.

cPanel Security

Monarx isn’t a defense-in-depth security suite. You still should have a traditional firewall, a Web Application Firewall for your web applications, and antivirus software. 

If you upgrade to a VPS or dedicated server, you’ll have to handle more of your security posture.

• Ensure an AV scanner (ClamAV or ImunifyAV) is installed and set to scan on a weekly basis. 
• Harden your traditional firewall. We recommend ConfigServer Security & Firewall (CSF) or Firewalld.
• Protect your server with a signature-based firewall such as ModSecurity or Fail2ban.
  

Monarx provides advanced malware detection for your web server. It works without any interface with the website administrator and allows reviewing of a suspected file. Its lightweight footprint and operation without user input make it a valued solution for protecting your server.

If you’re looking to protect your site from spam bots and other malware abuse, then using reCaptcha should be at top of your security list. reCaptcha works to determine bots from humans. How do you decide between using reCaptcha v2 and reCaptcha v3 to protect your users?

For this article, we’re going to look at the main reasons to understand the differences between reCaptcha v2 and reCaptcha v3. We will describe each version and then discuss the recommendations on when to use one version over the other.

• Deciding on the versions of reCaptcha
• reCaptcha v2
• reCaptcha v3
• Recommendations -Which Version Should I Use?

Deciding on the Versions of reCaptcha

If you’re not familiar with reCaptcha a common question that you’ll have is, “Why do I have to decide to use a particular version? Why not use the latest version?”

In some applications, like weForms, you are often given the choice of using reCaptcha to integrate into your application, form, or website. In the screenshot below, you can see that you have a choice of a version of reCaptcha in the settings for weForms.

There are differences in the versions that can affect what you choose to use. Understanding these differences in the versions will also help you in deciding why to use one version over the other.

Your understanding of your website or online application along with your experience and role in its development or maintenance will also be a factor in deciding the version that you choose.

This article will describe the differences between the versions and help you decide on which version to use when you add it to your website/application.

reCaptcha v2

reCaptcha v2 and reCaptcha v3 of Captcha ultimately aim to provide the same service to your web application – protection from bots that would abuse your site while allowing human visitors to pass through. There are three variations that are available in version 2.

• “I’m not a robot” Checkbox
• Invisible reCAPTCHA badge
• reCAPTCHA Android

“I’m not a robot” Checkbox

This version needs a user to click on a checkbox. When the box is checked, then it confirms that the user is human or challenges them with a reCAPTCHA to verify. This option is the easiest to use as it only requires two lines of HTML for the checkbox.

Invisible reCAPTCHA

This reCAPTCHA does not require interaction from the viewer. It is called when a user clicks on an existing button on the site. It can also be invoked by a Javascript call. A CAPTCHA is invoked only when very suspicious traffic is hitting the site. This trigger level can be made more strict by adjusting the site security settings.

The code to invoke the reCaptcha widget can be found on the Google developer’s page. The code includes both the option to automatically render it or to call it via Javascript.

Android

The Android version of reCaptcha v2 works by using a site key and a reCaptcha token with the SafetyNet service API. The server for your Android app shares the secret key with the SafetyNet server to provide validation securely. When the challenge is completed a reCaptcha token is generated and sent from your server through the Safetynet server, and then your app is able to respond to the Android app with a success (or fail) notification.

In simpler terms, reCaptcha will serve a Captcha if the interaction with your app is suspected to be a bot instead of a human. If the CAPTCHA is solved then the app will let the transaction proceed.

There have been updates to the API and you should check the developer’s page to make sure that you are using the most recent code before using it with your app.

reCaptcha v3

Version 3 of reCaptcha works by reviewing the traffic on your site and then taking the appropriate action if needed. It generates a score that allows reCaptcha to determine if the interactions in your site traffic are abusive or not. Generally, reCaptcha verification will be running on forms and actions on your site in order to gather the appropriate data.

Examples of areas in your website where scores may be generated by reCaptcha include:

• Homepage
• Login
• Social
• eCommerce

reCaptcha v3 “learns” about the traffic on your site by observing, analyzing, and scoring it. Note that reCaptcha v3 does not stop traffic/interactions on your site. Instead, it takes actions based on the identified behavior. Examples of actions based on behavior include requiring email verification for suspect logins, automatically sending spammy posts to moderation, or identifying and filtering out fake friend requests.

When you launch your site, you will need to determine the scoring thresholds by which reCaptcha will act by reviewing your site traffic through the Google Administrator Console for reCaptcha.

reCaptcha v3 works best when it is able to see legitimate traffic/interactions versus actions that are suspect or harmful to your site. It does this by gathering data in different areas of your site and using your threshold score to judge the interactions.

For example, reCaptcha code could be added to all the major pages of an eCommerce site. You can then review the traffic as analyzed by reCaptcha and then adjust your threshold as necessary in the areas of your site so that you can make sure that the site is not getting abusive traffic.

To learn more specifics on the implementation of reCaptcha v3, please see the reCaptcha v3 guide from the Google Developer site.

Recommendations -Which Version Should I Use?

Based on the definitions of the two versions, you can see that both have merits for use. Although version 3 is the newest version, it also has the most administrative work that is involved in its use. Version 2 provides several different versions that can be used, with one specific to Android.

Pick the version of reCaptcha based on your experience and your website/application needs.

If you are in need of a very quick and simple solution to help secure your website page, then I would recommend using reCaptcha v2 – “I’m not a robot” checkbox. It has only 2 lines of HTML code in order to add it to your page.

If you don’t have a complicated website with many user interactions and you don’t have a developer or administrator to help you manage your website, then you may want to think about using reCaptcha v2 – “Invisible checkbox.” It will not be as effective as version 3 in separating the bots from humans, but it can be adjusted to be more strict should you find that your site is being hit with bots.

reCaptcha v3 is the latest iteration of the security application from Google. It allows traffic to hit your website, but like version 2 (Invisible reCaptcha) it works in the background. Its main difference is that it analyzes the traffic to your web pages and then takes action based on the score thresholds that you establish through the Google Admin Console for reCaptcha.

This version lets you determine the actions taken when you have suspicious activity on your site. So, if you have a large site with a lot of traffic and you want to make sure that your users remain secure while separating any bots, then you will want to use reCaptcha v3.

Both reCaptcha v2 and reCaptcha v3 help to provide security by identifying robots from humans in order to stop attacks on your online services. There are different versions of the application that can be used based on your experience and the complexity of your online application. Pick the version that works best for you to help keep your website or online application and your customer safe and secure.

UFW (uncomplicated firewall) is an easy way to configure your cloud server firewall. You can add simple rules that govern access to various ports on your server. In this article, you will get the basics on how to set up your firewall using UFW for a cloud server running a basic website and allowing for SSH access.

• Basic Port Assignments
• Install UFW
• Basic UFW Setup
• Checking Status

In order to complete this tutorial you will just need to log into your server via SSH. Once there, you can run all of the commands provided from your favorite terminal emulator.

Note that all UFW commands require root or “sudo” privilege levels. Each command below is written assuming you have logged into your server as (or have otherwise assumed) the root user.

Note: in this article, you will be enabling your firewall by first closing all ports and then adding back the ports you need to operate a website and allow SSH access. This means that while ports 80 and 443 are closed your current website (if you have one) will be inaccessible. But it will soon return as we open those ports again.

Basic Port Assignments

Your cloud server comes with a few services pre-installed and running on standard ports. These include:

• SSH on port 22
• HTTP on port 80

The idea behind using a firewall is that it gives you more control over how your server can be accessed.

Install UFW (Uncomplicated Firewall)

First step, you will need to make sure that UFW is installed in your system. If not, you can easily install it using the apt package manager:

apt install ufw

Basic UFW Setup

For your cloud server running a website you will want to make sure that you are able to serve HTTP and (optionally) HTTPS, while making sure to keep port 22 open, so you can access your server via SSH.

Instead of going through port by port and selecting which ones you want to allow or deny access to, it’s easy to start configuring your firewall by denying access to all ports and then adding back only the ones you need.

ufw default deny incoming

And now add back SSH support:

ufw allow in ssh

You will see a notice warning you that this might interrupt SSH connections:

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Enable the firewall:

ufw enable

The firewall is now enabled. If you have a website running on the server you will notice it is not accessible at the moment.

To allow connections to the website, run this command:

ufw delete allow in 'WWW Full'

’WWW Full’ is a shorthand rule for allowing HTTP and HTTPS traffic on ports 80 and 443, respectively.

Reload the firewall to initiate the new rule.

ufw reload

Your website is now back online.

Checking Status

You can check the status of your firewall anytime by running the “status” command:

ufw status

Or, for more information about your rules, you can use the verbose option:

ufw status verbose

The snippets above provide you with the most basic setup for your cloud server firewall.

Cisco Adaptive Security Appliance (ASA) 5500-X series firewalls are a hardware security add-on available for securing Dedicated Server Hosting plans. Having the Cisco ASA firewall inspect traffic before it reaches your server environment has great benefits:

• Reduce the load on web application firewall (WAF) solutions including ModSecurity and Fail2ban
• Conserve system processing power to improve performance for web applications
• Better overall protection against denial of service and other cyber attacks

Upon purchasing a Cisco ASA, you’ll be emailed firewall login credentials. We recommend saving the firewall IP address, user credentials, and required steps in a password manager such as KeePass. Then remove the email before an email-based cyber attack occurs.

• Log into the Cisco ASA Firewall
• Change Your Cisco ASA 5506 Password
  • Forgot Your Password

Log into the Cisco ASA Firewall

Secure Shell (SSH) is the default method to log into Cisco ASA 5505/5506-X firewalls. Contact Live Support if you’re unsure which firewall model you use.

1. Log into your dedicated server command-line interface (CLI) as root with SSH. cPanel server administrators can use WebHost Manager (WHM) Terminal instead.
2. Log into your Cisco firewall with the following command, using your actual firewall username and IP address:

   ssh firewallusername@firewall.ip

   If successful, you’ll see the amount of recent firewall login attempts, last login, and other security information.
3. You can check your ASA version with the following command:

   sho ver

Change Your Cisco ASA 5506 Password

1. Log into your hardware firewall as instructed above.
2. The following command prompts you to update your user password:

   change-password

3. Type the old password.
4. Type your new password.
5. While still logged into the current terminal session, log into your firewall from a new SSH session to test your changes.

Forgot Your Password

If you forget your Cisco ASA password, contact Live Support. If the user lockout incident is severe, our systems administration team may have to reset the hardware firewall. Ensure you have a recent backup of your Cisco configuration file.

Once you’re able to log in, you’ll want to take necessary steps to harden the firewall to suit your needs. To learn more about managing your hardware firewall, check out official Cisco documentation. InMotion customers can use Launch Assist to request free assistance from Managed Hosting.

Encrypting files with GNU Privacy Guard (GPG) is one of the best known ways to protect your most critical data. If you have already followed our guide on creating a GPG key, you are now ready to encrypt files using your key, rendering these files readable only to people you have designated.

gpg --encrypt -r <joe@example.com> <file.txt>

If you hire a developer or designer, there are a few different ways to provide them access to your website. Different types of websites require different types of access. In this article, we’ll walk you through the different levels of access you can give your developer and how to safely provide that account access.

• Levels of Developer Access
  • Choosing a Level of Access
• Issues to Watch Out For

Note: this article covers how to provide your developer or designer with the type of access needed to work on and edit your website. If you’re trying to transfer your site, please see our guide on Helping your Designer Transfer your Website.

Levels of Developer Access

At the top level is your Account Management Panel (AMP), which provides full access to your hosting plan, billing information, and personal financial data. You should never give a third-party developer access to your AMP. There are a handful of tasks that can only be carried out in AMP, but you can easily take care of these yourself— see our article on Tips for using AMP for more information.

Next, we have server access. This includes both cPanel, a server control panel available on many of our accounts, and SSH access. Both of these programs allow you to use a program like Softaculous to install new programs on your account. At the server level, you can add new domains to an account and install new programs.

File Transfer Protocol (FTP) access lets your developer access your server’s files. It’s often used to upload sites during a transfer or install WordPress plugins. FTP access varies from one FTP account to another. You can create an FTP account that only offers access to part of a website, or an FTP account that offers access to everything on all of your sites.

At the lowest level of access are site logins. This includes WordPress logins and usernames. These logins provide access only to the controls and tools of an individual site itself, without direct access to the files, database, or server. For small changes, like updating a theme or adding an article, this is all some people will need.

Choosing a Level of Access

As a general rule, you want to give your developer or designer as little access as possible without affecting their ability to work on your site. WordPress websites serve as a good example. You may wish to only give your developer access to your site with a WordPress account. The issue is that WordPress websites, and other sites built around a database, may require cPanel access to troubleshoot database issues. Always discuss the access your developer will need with your developer, and reach out to our Support Team if you are unsure.

Issues to Watch Out For

Remember to change your passwords frequently, and make sure to never use the same password for two different sites. By default, your cPanel password is the same password as your AMP password. The concern here is that someone you give the cPanel password to could potentially log into your AMP account as well. Change your cPanel password before giving your developer cPanel access, so that you stay in control of your account and personal financial information.

Note: You can also set up a developer passphrase for your developer to verify the account if they contact us for support. This verification method, unlike other verification methods, unauthorizes us to make any billing-related changes during that contact session. You can create this in AMP by hovering over My Account and selecting Login & Security.

Remember to remove access to your site or account after your developer’s work is finished. For cPanel, start by checking the email address listed in your cPanel contact information and change it if needed. Be sure to reset the cPanel password.

Always review your FTP accounts area in cPanel after a developer had access and either change all account passwords or delete the FTP accounts. This is true even if you did not explicitly give your developer FTP access.

If an email address was created in cPanel for your developer, you can either delete the email address, or if you want to keep the email account up, change the email account password in cPanel .

If you added your developer as a second point of contact in AMP, update your contact information in AMP. You can always remove the ‘developer verification’ from AMP if you set that up as well.

If you created a WordPress user for your developer, change the user role to one without access to edit the site, or remove the user.

Antivirus, anti-virus, AV, or anti-malware scanners protect users from uploading and using malicious data on your Linux VPS. While your choice of Linux operating system (OS), or distribution (distro), can change the probability for successful cyber attacks, it won’t negate it altogether.

There are many free AV scanners for every OS including Bitdefender, MalwareBytes, and SUPERAntiSpyware. For cPanel server security, the two most popular options are ClamAV or ImunifyAV Free. In this article, we’ll discuss:

• cPanel AV Scanning
  • ClamAV
  • ImunifyAV Free
• Which is Best For You – ClamAV or ImunifyAV Free?
  • Enabling cPanel Users
  • Easier Configuration and Automated Scans
  • System Admin

cPanel AV Scanning

For years, we’ve recommended the ClamAV cPanel plugin for customers looking to harden cPanel servers. It’s easy for cPanel and WebHost Manager (WHM) users to use. It’s easy for power users to configure in the terminal, or command line interface (CLI). It integrates well with a lot of software via third party modules and clamd.conf configuration. Their developer, Cisco, is a brand familiar to experienced IT professionals. There’s even a ClamTK GUI application for Linux desktop users.

Then CloudLinux created something to rival the go-to server scanning application – ImunifyAV. Like ClamAV, ImunifyAV is easy to use and maintained by a well-known company. Unlike ClamAV’s cPanel plugin, there are more GUI options that make configuration quicker. But which AV scanner is best for your hosting plan, expertise, and needs?

Need the best defense-in-depth solution for your large business? Ask about our Cisco hardware firewall and dedicated server hosting.

ClamAV

ClamAV enables users to scan their cPanel accounts anytime. However, advanced features are only configurable from SSH.

Pros:

• Completely free and open source
• Scans from cPanel and CLI
• Can be configured to scan remote files
• Available on many popular server and desktop Linux distros – Ubuntu, Arch, etc.
• Third party Integrations available for many other web applications including Mattermost, Nextcloud, Moodle, and Splunk log analyzer
• Very stable; been around for years

Cons:

• Only configuration options in WHM are what types of files to scan
• All other features must be configured in the CLI

ImunifyAV FREE

ImunifyAV FREE can do monthly automatic scans and results will show in WHM and cPanel. However, cPanel users cannot start cPanel account scans and you must pay for some important features such as more frequent automatic account scans set in WHM.

Pros:

• Scans entire server from WHM and CLI
• Monthly automatic scans easy to configure from WHM
• More options and information available in WHM and cPanel compared to ClamAV including resource management settings
• History of results for past scans
• List of directories in a specified “Ignore list”

Cons:

• ImunifyAV must be configured for the ability to initiate scans from cPanel
• Important features in WHM such as automatic cleanup and more frequent automated scans require a paid subscription
• No popular third party integrations to connect with other web applications yet
• Fairly new, most documentation only available from official website

Which is Best For You – ClamAV or ImunifyAV Free?

Enabling cPanel Users

Because cPanel users can initiate scans with ClamAV, it may be best for cPanel server administrators and resellers wanting to enable end users to be more proactive in their website security posture.

Easier Configuration and Automated Scans

ImunifyAV FREE and ImunifyAV+ versions have more features available in WHM and cPanel for faster setup. Sysadmins willing to pay for additional features can enjoy many more options without the terminal.

System administrators wanting to reduce the load on cPanel users may prefer ImunifyAV for the easy setup for monthly server scans.

System Admin

Sysadmins wanting to enable cPanel users, not wanting to pay for additional GUI features, and willing to do some extra configuration may prefer ClamAV. Sysadmins can configure automated scans, quarantine methods, and notification options with cron jobs.

How did you decide whether to use the ClamAV or ImunifyAV Free cPanel plugins?

Learn more about VPS management from our Managed VPS Hosting Product Guide.

We have many guides on securing common web hosting solutions: cPanel servers, bare cloud servers, and even the popular WordPress content management system (CMS). Each includes great technical controls for a proactive approach to defense in depth. However, nothing can detect and prevent everything. The only way to address this is to apply administrative controls, primarily log auditing.

Audit log management, also known as security information management (SIM), is more than website analytics such as page visits, bounce rate, and referral URLs. It includes:

• Uptime
• Account-specific actions
• File change management
• Login attempts and failures
• Port and other reconnaissance scans
• Incoming and outgoing network traffic

The processes for auditing system-wide information and events are known respectively as security information management (SIM) and security event management (SEM). Combining the two types of information is known as security information and event management (SIEM).

Server logs are oftentimes neglected if not natively accessible from a graphical user interface (GUI). Proactively scanning these logs can help you understand your residual risk to cyber attacks not prevented by current technical controls and how to strengthen your security stance.

Below we’ll cover:

• What is Splunk?
• Installing Splunk
  • CentOS
  • Debian/Ubuntu
    • Change Default Debian Shell
• Setting up Splunk
• Logging into Splunk
• Resetting Splunk admin credentials
  • Splunk username
• Monitoring data in Splunk
• Splunk apps and installation
  • Within dashboard
  • Manually

What is Splunk?

Splunk Enterprise is a SIEM application that gathers, organizes, and visualizes machine-generated log data from local and remote machines, websites, and cloud services. Having Splunk setup with your physical and cloud systems can be valuable for staying ahead of cybersecurity, connectivity, and other big data initiatives.

How to Install Splunk Enterprise

Install Splunk Enterprise on CentOS

1. Create an account on on Splunk.com.
2. Select Free Splunk in the upper-right corner.
3. Select Free Splunk.
4. Select Linux, then Download Now beside .rpm.
5. Upload the file to your server.
6. SSH into your server as root.
7. Install the Splunk Enterprise RPM file:

   rpm -i path-to-file/splunk-versionnumber.rpm

8. Continue to Splunk setup.

Install Splunk Enterprise on Debian/Ubuntu

1. Create an account on on Splunk.com.
2. Select Free Splunk in the upper-right corner.
3. Select Free Splunk.
4. Select Linux, then Download Now beside .deb.
5. Upload the file to your server with SCP, replacing the filename, username, and server hostname as needed:

   scp splunk-versionnumber.deb root@11.22.33.44:/root

6. SSH into your server as root.
7. Install the Splunk Enterprise DEB file:

   dpkg -i splunk-file.deb

8. Verify Splunk installation status:

   dpkg --status splunk

9. Continue to Splunk setup.

Change Your Default Shell

Splunk recommends using bash as your default shell as Debian’s default shell, dash, may cause zombie processes which cannot be killed. Below we’ll cover how to change your default Debian shell.

1. Find your default shell:

   which sh

2. You should see /bin/sh or another symbolic link. Use ls to find the actual shell:

   ls -l /bin/sh

3. If it doesn’t show bash at the end, view installed shells to ensure it is installed:

   cat /etc/shells

4. Delete the symbolic link:

   rm /bin/sh

5. Create a new symbolic link pointing /bin/sh to bash:

   ln -s /bin/bash /bin/sh

Complete Splunk Setup

After you install Splunk, follow the steps below to complete your Splunk setup.

1. Use Splunk to start the Splunk service:

   /opt/splunk/bin/splunk start

2. Read the license agreement. At the end, select y and Enter.
3. Create an username.
4. Create a password with at least eight characters.
5. Once Splunk installation is complete, the last line will provide the URL to access the web interface: http://serverhostname:8000.
6. Open port 8000 in your firewall: Firewalld, UFW, CSF, etc.

   Keep in mind that if you get locked out of your server and restart it, you’ll need to start the Splunk service again before you can access the Splunk dashboard.

7. Open your Splunk web interface in your browser.

How to Log into the Splunk Dashboard

There are multiple options for logging into your Splunk dashboard depending on your server configuration. What matters most is that you use :8000 at the end.

How to Reset Your Splunk Administrator Password

There’s no “Forgot password” link on the native Splunk login page. You’ll need to edit the Splunk passwd file.

1. SSH into your server.
2. Navigate to your Splunk /etc directory (e.g. cd /opt/splunk/etc). You can use the find command if needed.

   find / -iname splunk | grep etc

   Don’t edit a file in the /virtfs directory.

3. Rename the file passwd to something else:

   mv passwd passwd.backup20201030

4. Navigate to the Splunk system/local directory:

   cd ../system/local

5. Create and edit a new file:

   nano user-seed.conf

6. Inside the new file, add the following with a new username and password:
   [user_info]
USERNAME = admin
PASSWORD = C0mp!c@T3Dp@s$w0RD
7. Save your file.
8. Restart Splunk to create a new passwd file:

   /opt/splunk/bin/splunk restart

9. Log into your Splunk web interface with the new username and password.

Change Splunk Admin Username

If you want to change your admin username, possibly because you’ve noticed brute force login attacks for predictable usernames, follow the steps below to better secure your Splunk setup.

1. Edit your Splunk passwd file:

   nano /opt/splunk/etc/passwd

2. Edit the username at the beginning of the file.
3. Save your changes.
4. Restart Splunk:

   /opt/splunk/bin/splunk restart 

5. Log into Splunk.

Monitor Data in Splunk

Below we’ll cover how to add your first log source into your Splunk setup.

1. Log into your Splunk web interface.
2. Select Add Data.
3. At the bottom, select Monitor.
4. On the left of the Select Source page, select Files & Directories.
5. Select Browse.
6. Specify a file or directory to monitor and click Select. For example, you can monitor a cPanel log, Apache access log (similar to GoAccess Analytics), or a cPanel user directory. We’ll use the /var/log/secure log file which tracks SSH logins, and authentication failures on CentOS. Debian/Ubuntu users will instead use /var/log/auth.log.
7. Select Continuously Monitor to show updates to the log file in real-time.
8. At the top, select Next to access the Set Source Type page.
9. Source type on the left should state “linux_secure” so Splunk knows it is Linux security information. Otherwise, select the button and select linux_secure from the drop-down menu.
10. Select Next at the top.
11. (Optional) On the Input Settings page, you can change the App context, machine hostname, and Index.
12. Select Review.
13. Ensure everything is correct and select Submit.
14. You’ll see “File input has been created successfully.” Start Searching.
15. To modify the event results, select Settings and Data Inputs from the upper-right corner.
16. Select the data input type on the left. For this example, we’ll select Files & Directories.
17. Select Enable or Disable for the data path in the Status column.

Splunk Apps and Add-ons

You can customize your Splunk setup with a massive database of apps and add-ons for better data analysis for your specific server environment. You can install Splunk apps from Splunkbase.Splunk.com/apps or directly within your Splunk dashboard.

From your Splunk dashboard, select the gear icon on the left beside Apps. On other pages, select Apps and Manage Apps from the top-left of the page. From here you can:

• Disable and enable installed apps
• Modify permissions
• Update settings
• Launch apps

At the top are links to browse installable Splunk apps, install apps manually, and create an app.

Install Apps in Splunk Dashboard

1. From the Splunk homepage, select + Find More Apps on the left.
2. On the left, search for an app.
3. Select the Install button for the app you wish to install. We’ll use the Website Monitoring Splunk app for our example.
4. Provide your Splunk.com user credentials, then accept the terms and conditions.
5. Select Login and Install.
6. If notified “Restart Required,” select Restart Now. Click OK once the restart is successful.
7. Log back into your Splunk dashboard.
8. Select Apps at the top or return to the homepage to see the new app available on the left.

Manually Install Splunk Apps

1. Visit https://Splunkbase.Splunk.com.
2. At the top, search for an app.
3. Select an app. We’ll use the Splunk Add-on for Cisco ASA app as an example.

   The Cisco ASA hardware firewall is available with our Dedicated Server Hosting plans.

4. On the right, click Download, or Login to Download if applicable.
5. Accept the license agreements and click Agree to Download.
6. Save the file to your computer.
7. Verify the checksum of your downloaded file against the provided message digest. For example:
   Windows:

   certutil -hashfile SplunkFile.tgz sha256; echo ProvidedChecksum

   
   Mac:

   shasum -a 256 SplunkFile.tgz && echo ProvidedChecksum

   
   *nix:

   sha256sum SplunkFile.tgz && echo ProvidedChecksum 

8. Once you’ve verified the checksums match, press OK. If not, troubleshoot why the checksums differ before continuing to ensure you don’t upload a corrupted or malicious file.
9. On the Splunkbase site, select the Details tab for additional installation information.
10. In your Splunk web interface, go to your Apps page.
11. Select Install app from file.
12. Browse your local machine and select the compressed Splunk app file.
13. Click Upload. If successful, you’ll see “[App] was installed successfully” and it’s already enabled.

Learn more about how to get the most out of your SIEM software with official Splunk documentation. Or learn more about free cybersecurity applications and how to stay updated on industry news.

Learn more from our Cloud Server Hosting Product Guide.

Hiding your WordPress Admin URL

1. First, log in to your WordPress admin dashboard.
2. You will need to have iThemes Security installed and activated. If you do not, you may follow our article on installing iThemes Security.
3. Within your WordPress admin, hover over Security on the left side menu, and click on Settings.
4. The settings can be filtered as Recommended and Advanced if all of them are not showing. You’ll see the filter options in the top right corner of the listed settings. Click on Advanced.
5. Find Hide Backend and then click on Configure Settings.

6. After enabling the checkbox in the previous step, you will see options appear that allow you to configure how your login URL will be set. In the Login Slug field, enter your new login location.

7. After enabling the checkbox in the previous step, additional options will appear. In the Login Slug field, enter your new login location. Make sure that you record this setting or set a bookmark to it. If you forget your new login URL, then you won’t be able to login to your site.
8. You will see other options, but for simplicity leave the defaults for Enable Redirection and Redirection Slug as they are.  You can change the redirection slug if you feel it’s needed, but the Enable Redirection should be checked to prevent error messages.
9. Once your changes have been made, click Save Settings in the bottom lefthand corner.

Now that you have hidden your login URL with iThemes Security, your site login URL will be harder to locate, and thus make it more secure from brute force attacks. Note: As a reminder, be sure to remember what you set in the Login Slug field as, without it, you will not be able to log into your WordPress admin dashboard.