Portal Home > Knowledgebase > Articles Database > how to protect cpanel and whm ?
how to protect cpanel and whm ?
| Posted by taydu3000, 12-28-2007, 05:07 AM |
| what is the best way to protect whm and cpanel from unwanted login?
If i change the port they still can sniff, is there away to put another layer to protect it or assigned specific ip to be able to login ? I'm on a dedicate server and only hosting for 1 site so there no customer that i should worry about.
can i change /whm and /cpanel to something else just to hide it form novice users.
Thanks
|
| Posted by ServerSurgeon George, 12-28-2007, 05:43 AM |
| you can allow only particular IPs to connect to the 2086 and 2087 ports using the firewall
|
| Posted by StevenG, 12-28-2007, 08:19 AM |
| The only way people can sniff traffic en-masse so to speak is if they get access to your box to do so.. by which time it's game over.
Sure, local admins, hacked windows users, or someone else with a compromised network will be able to sniff passwords etc sent over non ssl, but hey, viruses are much more of a problem than this stuff imho these days.
Just ad an iptables rule for who is allowed to access via cpanel ports 2082,2083,2086,2087 - even disable non-ssl ports for more security.
|
| Posted by depache, 12-28-2007, 08:23 AM |
| use software or hardware firewall. it will protect you from any type of attack. configserver offering some good tool to use with whm easily.
|
| Posted by StevenG, 12-28-2007, 08:33 AM |
| Indeed, iptables is a powerful and free resource that every linux user needs to know inside and out.
|
| Posted by ServerSurgeon George, 12-28-2007, 08:53 PM |
| it is located here:
http://www.configserver.com/cp/csf.html
|
| Posted by taydu3000, 12-29-2007, 04:38 AM |
| thank you all for your suggestion will look more into csf and sure will ask more questions if i come accross something that i don't know
|
| Posted by MaB, 12-29-2007, 11:57 AM |
| Has anyone tried something that would allow root WHM logins only from a particular IP but all other whm logins from any IP?
I wish whm used PAM...
|
| Posted by ServerSurgeon George, 12-29-2007, 12:00 PM |
| again, all this can be performed using the firewall
|
| Posted by MaB, 12-29-2007, 12:01 PM |
| Can you point out exactly where/which feature it is that will let us specify root logins to WHM only from x.x.x.x while allowing any other IP to log in to whm as non root?
|
| Posted by ServerSurgeon George, 12-29-2007, 12:03 PM |
| iptables -A INPUT -s YOUR_IP --dport 2086 -j ACCEPT
iptables -A INPUT -s YOUR_IP --dport 2087 -j ACCEPT
iptables -A INPUT --dport 2086 -j DROP
iptables -A INPUT --dport 2087 -j DROP
|
| Posted by MaB, 12-29-2007, 12:08 PM |
| Hi,
I don't think that you understood the request. Your iptables commands will block anyone from WHM aside from a given ip. We don't want that. We want our customers to have WHM access (from dynamic Ip addresses). We simply want to restrict only the IP address that ROOT logs in to whm from (you can do this with SSH/pam but not whm).
|
| Posted by ServerSurgeon George, 12-29-2007, 12:17 PM |
| You said you want that below:
Please try to explain what you want to obtain clearer.
This is done using the iptables rules I showed you there.
If you have non-root users that log in to WHM then simply add them to the firewall.
|
| Posted by MaB, 12-29-2007, 12:22 PM |
| I said "We want our customers to have WHM access (from dynamic Ip addresses"
Trust me, iptables isn't the solution - it needs to be somewhere in WHM.
To be very clear:
1) User ROOT can log into WHM from only 1 specific ip address
2) Any other user can log into WHM from any dynamic ip address.
I know there's no solution, I was just wishing outloud Hopefully one day cpanel will integrate some security in whm logins...
|
| Posted by utropicmedia-karl, 12-29-2007, 12:27 PM |
| He did say "root".
|
| Posted by ServerSurgeon George, 12-29-2007, 12:34 PM |
| Unfortunately there's no solution for this. You can see the same question here:
http://forums.cpanel.net/showthread.php?t=38263
and the first reply is from a moderator saying that it is not possible
|
| Posted by utropicmedia-karl, 12-29-2007, 12:37 PM |
| It actually is.
It's been a while since i've been in that code, but the login screen for your theme is available for you to muck with. You could have a txt file with a list of the user:ip combos you want and add code to the login screen(backend) to validate the login before the password is checked. 'exit -1' on the login script if you don't find a match.
I know this is possible because I was on a tear on weekend modifying our cp11 theme.Is this a hack? hell yes.Will it work and work properly? hell yes.
Regards,
|
| Posted by IGobyTerry, 12-29-2007, 12:39 PM |
| Or you could just enable cpHulk from the 'security center' inside WHM, which will monitor for login failures.
|
| Posted by ServerSurgeon George, 12-29-2007, 12:40 PM |
| and the hack will be broken after each cpanel update?
|
| Posted by utropicmedia-karl, 12-29-2007, 12:42 PM |
| There is a chmod setting you can put on the file to prevent an update from overwriting it. Also, because it should be in a custom theme, the update would not touch it.
|
| Posted by MaB, 12-29-2007, 12:49 PM |
| Is that just for cpanel or for WHM as well?
|
| Posted by utropicmedia-karl, 12-29-2007, 12:58 PM |
| either/or...........
|
| Posted by taydu3000, 12-29-2007, 08:48 PM |
| can some one show me how to set up public key to access my server. I will be access from windows enviorment using putty.
I have been follow couple guides online but im so confuse now and didn't get anything done.
On the server right now I have disable direct root login and have create a user "xyz" and have add it to the "wheel" group.
login as xyz and issue the command ssh-keygen -t rsa
it ask me to give it a name but then it give me permission denied saving the key.
what should i do to successfull generate the key what should i do now
|
Add to Favourites 
Print this Article
Also Read
shared ssl (Views: 763)
EZPZ of late (Views: 813)