The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I apply SSLVerifyClient to /securewhm?

Discussion in 'Security' started by pla, Oct 29, 2012.

  1. pla

    pla Member

    Joined:
    Oct 26, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    My boss wants extra hardening for /securewhm. Is is possible to use <Directory> or <Location> directives to force the server to requre client verification to /securewhm? If so, how is the clean way to do it with whm? I can figure out how to generate/install the certs, it's the whm bits that have me puzzled. :)
     
  2. ANKUR KUMAR

    ANKUR KUMAR Active Member

    Joined:
    Oct 28, 2012
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator

    Frankly telling you , i installed ssl on whm and very next day i uninstalled it as it was under money back period .

    You can not avoid user account hack by adding ssl only to whm ...

    Instead server hardening is needed from a system administrator

    use config server firewall

    restrict editting of php.ini files by users ..

    change permission of /bin/ln to 400

    This will help upto 65 %
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  4. pla

    pla Member

    Joined:
    Oct 26, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Actually, they're not much help. I think you read the "SSL" part of my question and skipped the "VerifyClient" part.

    Adding server certs is easy, well documented and well supported. I want to have the server reject connections to /securewhm unless the browser has a client certificate the server is expecting. And I want to do it, if possible, in a way that plays nicely with whm apache stuff. I've already tested this on a bog-standard apache, it doing it in a whm-friendly way that eludes me.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hmm, sorry about that. If this helpful?

    Home » Server Configuration » Tweak Settings, Redirection tab.

    How will a user get the Cert in the first place?
     
  6. pla

    pla Member

    Joined:
    Oct 26, 2012
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That's going to be part of it - not allowing non-SSL connections to whm. Client certs are only requested if the connection is over SSL, so non-ssl access to whm has to be disabled.

    In general the user would generate a certificate signing request, submit it to a certificate authority along with some money, get a signed certificate in return, pass the public key to server admin, who would then ask on a cpanel forum how to install it without messing up whm. :)

    In this particular instance, because it will apply only to employees permitted to use whm, sneakernet.

    In case you're wondering, the office has static IP but it's considered by the boss to be too expensive to provide static IP to employees who handle out-of-hours problems. I know that ADSL hands out IPs that rarely change, but unless you pay extra they can and do change - probably at an inconvenient time. So client certs look like a possible solution provided there's a way to configure them into the server without breaking whm's apache configurator.
     

Share This Page