Security Measures for PHP & MariaDB Web Applications on cPanel (AWS/Dedicated Servers)

Since you’re developing custom web applications using PHP and MariaDB on cPanel, hosted on AWS or dedicated servers, security is crucial. Below are key areas to focus on:

1. Server-Level Security

• Firewall & Network Security:
  • Use AWS Security Groups or a dedicated firewall to restrict access to specific IPs.
  • Configure fail2ban to prevent brute-force attacks.
  • Disable unused ports and only allow essential services.
• SSH & cPanel Security:
  • Disable root login for SSH (PermitRootLogin no in /etc/ssh/sshd_config).
  • Use key-based authentication instead of passwords.
  • Change default SSH port from 22.
  • Regularly update cPanel and enable cPHulk for brute-force protection.
• DDoS Protection:
  • Use AWS Shield or Cloudflare to mitigate DDoS attacks.
  • Rate-limit requests using mod_evasive (Apache) or nginx rate limiting.

2. PHP Application Security

• Input Validation & Sanitization:
  • Use prepared statements with PDO/MySQLi to prevent SQL Injection.
  • Sanitize user input with filter_var(), htmlspecialchars(), etc.
  • Avoid passing user input directly to system commands.
• Session Management:
  • Store session data outside the web root.
  • Use secure, HttpOnly cookies (session.cookie_secure=1, session.cookie_httponly=1).
  • Regenerate session IDs after login (session_regenerate_id(true)).
• Error Handling:
  • Disable detailed error messages in production (display_errors = Off in php.ini).
  • Log errors to a secure location (error_log=/var/log/php_errors.log).

3. MariaDB Security

• Access Control:
  • Create separate MySQL users for each application with minimal privileges.
  • Disable remote root login (bind-address = 127.0.0.1 in my.cnf).
• Secure Authentication:
  • Use strong passwords and enforce password expiration policies.
  • Enable mysql_secure_installation to disable anonymous users.
• Database Encryption:
  • Enable TDE (Transparent Data Encryption) in MariaDB.
  • Use AES_ENCRYPT() and AES_DECRYPT() for column-level encryption.

4. Web Server Security

• HTTPS & TLS:
  • Use Let’s Encrypt or a commercial SSL certificate.
  • Enforce TLS 1.2 or 1.3 (ssl_protocols TLSv1.2 TLSv1.3; in Nginx).
• Prevent Common Attacks:
  • Set X-Frame-Options: DENY to prevent Clickjacking.
  • Use Content-Security-Policy (CSP) headers.
  • Block directory listing (Options -Indexes in .htaccess).

5. cPanel & Backup Security

• cPanel Hardening:
  • Disable unnecessary cPanel features.
  • Restrict access using IP whitelisting.
  • Enable Two-Factor Authentication (2FA).
• Automated Backups:
  • Use AWS S3, rsync, or cPanel backup tools.
  • Encrypt backups before storing them remotely.

---

Best Tools to Check Security

1. Server & Infrastructure Security
   • AWS Security Hub (if using AWS)
   • Lynis (lynis audit system)
   • Fail2Ban (brute-force attack protection)
2. Web Application Security
   • OWASP ZAP (Automated security testing)
   • Burp Suite (Manual security testing)
   • PHP Security Scanner (phpsec)
3. Database Security
   • MariaDB Audit Plugin (logs database activities)
   • mysqltuner (mysqltuner.pl for performance/security checks)
4. File & Malware Scanners
   • ClamAV (clamscan -r /var/www/html)
   • Maldet (Linux Malware Detect)
5. Website & Application Testing
   • Qualys SSL Labs (SSL/TLS security test)
   • Sucuri SiteCheck (Malware & security scan)
   • WPScan (if using WordPress)
6. Log Monitoring & Intrusion Detection
   • OSSEC (Host-based Intrusion Detection System)
   • Tripwire (Monitors file changes)

---

Next Steps

1. Regularly update PHP, MariaDB, and cPanel.
2. Perform penetration testing before launching applications.
3. Implement a Web Application Firewall (WAF) like AWS WAF or Cloudflare.
4. Use centralized logging & monitoring (e.g., AWS CloudWatch, Logwatch).