Is DNSONLY a gigiantic gaping security risk?

[wizzy420]

Okay so here's the question.

DNSONLY requires one setup access keys between the servers.

So suppose someone hacks one of your servers. At this point, wouldn't they then be able with the access key to one of the DNSONLY servers be able to access it, grab the keys to all the other servers, and pretty much instantly have full root access to every server on your network?

W

[LiNUxG0d]

Okay so here's the question.

DNSONLY requires one setup access keys between the servers.

So suppose someone hacks one of your servers. At this point, wouldn't they then be able with the access key to one of the DNSONLY servers be able to access it, grab the keys to all the other servers, and pretty much instantly have full root access to every server on your network?

W

Technically... well... they would/could have access to the WHM API, yeah, I suppose. Since that Access Hash is used to authenticate. It's plausible.

I guess you have to make the DNS boxes tight. Technically, if you keep their kernels up to date you shouldn't have too many issues. They aren't - shouldn't - be running web sites. So that limits attackers' points of entry.

You should be dropping all useless services. Locking down SSH to key access only and "PermitRootLogin no". Change the port to something ambiguous, port 2 or something.

It won't give people ROOT if they get the Access Hash, but, getting root after they get the Access Hash could prove simple.

Warmest Regards,

[wizzy420]

I guess you have to make the DNS boxes tight.

etc etc

Well, basic security is one of those of course things. I do appreciate your response.

But there are things like day zero holes, mistakes, etc.

Wouldn't it make a lot more sense for DNS interactions to occur using a separate privilege level which isn't root?

This just seems to be to be a horrible way to do things. Give every box root access to every other box.

[LiNUxG0d]

Well, basic security is one of those of course things. I do appreciate your response.

But there are things like day zero holes, mistakes, etc.

Wouldn't it make a lot more sense for DNS interactions to occur using a separate privilege level which isn't root?

This just seems to be to be a horrible way to do things. Give every box root access to every other box.

Yeah, I suppose cPanel could do that. I'm sure it's on a to-do list. Something like privilege elevation over Access Hashs has probably been discussed by their dev team.

I know how 0-day holes can be problems.

cPanel has flaws, as do most software, however, I think they do a good job in minimizing them. The best example is Microsoft products... they have holes... they get exploited... it happens.

Stay on top of security/software you run, install the proper software to monitor and keep a hold on things. It's really all you can do.

The best thing to do is do the best you can do.

Regards,

[wizzy420]

Yeah ...

Your website brings up a blank white screen.

Steve