[Case 35876] cpdavd via http PCI compliance issue

Serra

Well-Known Member
Oct 27, 2005
267
18
168
Florida
I got hit on a PCI compliance issue where cpdavd is accessible via http. I found several older threads about this, but they all indicate that the issue should be close now that I'm on 11.30.4.

If I go to my server via server.com I get a login pop up. Shouldn't that be forced to https?
 

Serra

Well-Known Member
Oct 27, 2005
267
18
168
Florida
I have "Always redirect to SSL" set to ON, it been set like that for years. I've test the URL at port 2077 and it is not being redirected.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello :)

I suggest opening a support ticket with our staff so we can see the exact configuration in-place and offer advice. You can open a ticket using the following URL:

Submit A Ticket

Thank you.
 

Serra

Well-Known Member
Oct 27, 2005
267
18
168
Florida
So should cpdavd be redirected or not? It is not being redirected now. Is there a way to redirect it so that it doesn't show up on my PCI report?
 

Serra

Well-Known Member
Oct 27, 2005
267
18
168
Florida
Resolution: After putting in a ticket I was told that cpdavd is not PCI compliant and can't be made so. The only resolution offered was to block port 2077 to prevent cpdavd from using basic authentication. I've done that, I don't believe any of my customers are using cpdavd, but if they were, the only way to allow it would be to pinhole that customer for that port, while that would also be PCI noncomplainant, it wouldn't show up on the PCI reports.

I got the impression that at some point this may be resolved with an upgrade.
 

inetbizo

Well-Known Member
How can it be a feature IF cpanel software would fail a compliance audit by allowing 2077 in the first place? Please post some global apache include mod_rewrite on the insecure port(s)?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
We have case 35876 opened internally to restrict WebDAV (cpdavd) to listen only on SSL ports. I've added this forum discussion to that case so your concerns are noted there.

As for mod_rewrite, mod_rewrite would not be the ideal solution to blocking a port. Blocking port 2077 in the firewall or iptables would be faster to process, easier to accomplish, and less intensive on the machine. As such, simply remove port 2077 for listening in your firewall:

Code:
/sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP
After blocking the port for incoming connections, then save the firewall rules:

Code:
service iptables save
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
Just wanted to add support for a solution to this issue other than a simple firewall block of the port.
cPanel should strive to resolve any PCI issues related to the product itself and running an insecure access for WebDISK opens a PCI issue so please provide an integrated option to disable insecure access via WHM.
 

Blakles

Member
Mar 9, 2012
10
0
51
cPanel Access Level
Root Administrator
We have case 35876 opened internally to restrict WebDAV (cpdavd) to listen only on SSL ports. I've added this forum discussion to that case so your concerns are noted there.

As for mod_rewrite, mod_rewrite would not be the ideal solution to blocking a port. Blocking port 2077 in the firewall or iptables would be faster to process, easier to accomplish, and less intensive on the machine. As such, simply remove port 2077 for listening in your firewall:

Code:
/sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP
After blocking the port for incoming connections, then save the firewall rules:

Code:
service iptables save
How exactly do you block port 2077 in the firewall or iptable? Where do you go inside WHM to do this?
I tried going to WHM > ConfigServer Security & Firewall > Firewall Configuration and removed 2077 from the 'Allow incoming TCP ports' section, but I still get a login box when visiting: domain.com:2077 or http://ip:2077
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello,

Since CSF isn't provided by cPanel as part of WHM, I cannot detail how to block the port in CSF. I can detail how to do it in root SSH command line via iptables:

Code:
/sbin/iptables -I INPUT -p tcp --dport 2077 -j DROP
I used the above to block the port and it worked for me. You'd then need to save the new configuration:

Code:
service iptables save
You may wish to post on the CSF forum for questions on how to configure settings in their firewall software:

CSF Forum

Thanks!
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
How exactly do you block port 2077 in the firewall or iptable? Where do you go inside WHM to do this?
I tried going to WHM > ConfigServer Security & Firewall > Firewall Configuration and removed 2077 from the 'Allow incoming TCP ports' section, but I still get a login box when visiting: domain.com:2077 or http://ip:2077
What you did is correct so your own IP is likely on the allow list which is why you were still able to access port 2077.
 

dolphyn

Well-Known Member
Nov 27, 2001
67
0
306
cPanel Access Level
Root Administrator
I agree there should be an option to require SSL for cpdavd. Firewall blocking isn't really a solution, because the PCI people insist on being whitelisted in firewall settings. :rolleyes:


If you don't need cpdavd, you can disable it completely:
Code:
/usr/local/cpanel/etc/init/stopcpdavd

touch /etc/cpdavddisable
Then use WHM Feature Manager "disabled" feature list to remove the icon from CPanel.

The /etc/cpdavddisable file doesn't need to be empty, so you can edit it to give yourself a reminder of why it's there. I included the URL of this forum thread in mine. :)


(I don't know if /etc/cpdavddisable is documented anywhere, but I happened to notice a reference to it in /usr/local/cpanel/etc/init/startcpdavd.)
 

vlee

Well-Known Member
Oct 13, 2005
375
26
178
Spokane, Washington
cPanel Access Level
Root Administrator
I agree there should be an option to require SSL for cpdavd. Firewall blocking isn't really a solution, because the PCI people insist on being whitelisted in firewall settings. :rolleyes:


If you don't need cpdavd, you can disable it completely:
Code:
/usr/local/cpanel/etc/init/stopcpdavd

touch /etc/cpdavddisable
Then use WHM Feature Manager "disabled" feature list to remove the icon from CPanel.

The /etc/cpdavddisable file doesn't need to be empty, so you can edit it to give yourself a reminder of why it's there. I included the URL of this forum thread in mine. :)


(I don't know if /etc/cpdavddisable is documented anywhere, but I happened to notice a reference to it in /usr/local/cpanel/etc/init/startcpdavd.)
Is the case with Web Disk going to get fixed?

I had customers using it until PCI Scans killed that feature so I had a few not very happy customers when I had to remove Web Disk do to PCI Compliance.
 

Serra

Well-Known Member
Oct 27, 2005
267
18
168
Florida
Since CSF isn't provided by cPanel as part of WHM, I cannot detail how to block the port in CSF.
In CSF the port is listed in the configuration as a TCP port as part of the long list of ports. Just remove it from the list and it will block the port.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Is the case with Web Disk going to get fixed?

I had customers using it until PCI Scans killed that feature so I had a few not very happy customers when I had to remove Web Disk do to PCI Compliance.
Case 35876 is still open at this time. There is currently no time frame available on if/when a change in the existing behavior will be made.

Thank you.