The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel / WHM Best Practices for Security Basics

Discussion in 'Security' started by diesel12, Jan 31, 2011.

  1. diesel12

    diesel12 Member

    Joined:
    Dec 14, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    We've made a couple quick changes to WHM for security reasons and wondering if we've left any major bases uncovered or done anything less than optimal, any feedback appreciated!

    1) We're no longer creating new accounts as root, we've set up a reseller account and given them every privilege except for the "root privilege" mentioned last on privileges page.

    2) We've set up security questions for root and reseller account

    3) We're logging into WHM with hash from billing software instead of using password.

    4) We've disabled root from being able to access cpanel accounts via tweak settings so only account owners and cpanel owners can.

    Anything else we should consider doing?

    Any feedback greatly appreciated....
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For the privileges for the reseller users that have all but root, are you checking these options for them then?

    # Account Modification (warning: this will allow circumvention of account creation limits, give shell access unless explicitly disallowed, dedicated ips, etc)
    # Bandwidth Limiting Modification (Warning: This will allow circumvention of account package limits if you are not using resource limits)
    # Quota Modification (Warning: This will allow circumvention of account package limits if you are not using resource limits)

    Now, if you are placing limits, this should be fine. The one that is concerning is the shell access, since if you aren't explicitly disallowing shell access for the resellers for accounts they create, then they can create jailed shell accounts for other users, which could be a security concern.
     
  3. diesel12

    diesel12 Member

    Joined:
    Dec 14, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    My apologies for not giving enough information. There is only one reseller on the account, which is me .... so there are no other users accessing WHM reseller or otherwise except for myself.

    Thank you for the feedback!
     
  4. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    If you have got a CSF firewall in the server, goto

    Code:
    WHM >> Plugins >> ConfigServer Security & Firewall >> Check server security.
    You can try to clear out all the warnings to make the server more secured. Instructions to clear out the warnings are specified by side of the warnings.

    From your score you will understand how much your server is secured!
     
  5. diesel12

    diesel12 Member

    Joined:
    Dec 14, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    Our billing / cart software has said that in order to create custom quotas when a customer signs up via our cart, Cpanel requires logging in as root. Can anyone confirm this is the case?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    They would mean the API for their product and how it operates? Because that would be a question for that software provider, since it's a third party application. We wouldn't know how they have setup their product to function.
     
  7. diesel12

    diesel12 Member

    Joined:
    Dec 14, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    Tristan: To clarify, they stated that it is a Cpanel limitation where cpanel will not allow anyone but the root to create accounts with custom quotas. Their product works fine when not logged in as a reseller unless a custom quota is required when setting up a cpanel account .... not due to their own API but due to Cpanel only enabling the root user to setup an account with a custom quota. I'm just trying to confirm that cpanel does in fact limit account creation with custom quotas to the root user ... Thanks!
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Please clarify what is meant by a custom quota, since I'm not certain that I entirely understand what that would mean. Account creation includes setting a quota during it as part of the account creation process. Is a custom quota setting a quota higher or lower than the package limit? Also, is this the disk space quota or some other quota?
     
  9. diesel12

    diesel12 Member

    Joined:
    Dec 14, 2007
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    0
    A custom quota as they use it could be a literal quota for bandwidth or similar or simply creation of a custom number of emails for the account. It is probably just best to look at their page describing this: WHMCS - Configurable Package Addon

    If I decide I want to have 10 different tiers for email accounts with our service package (5 email accounts for $5, 10 email accounts for $10, 15 email accounts for $15, etc), I could set up a package in WHM for each of these different configurations. WHMCS can then login as reseller when an order is placed and create these accounts without any issues.

    The issue is that if we have a large amount of different package variations to choose from with a varying # of emails, storage space, etc. then we would be required to create a large amount of packages in WHM to satisfy the different order configurations that clients might choose. One for 10 emails and 2 gb of storage, one for 10 emails and 10 gb of storage, one for 10 emails and 100 gb of storage, etc.

    The add on in the link above creates packages that are chosen by the client on the fly, so there's no need to create any packages, a client can choose the number of emails or other resources options / variations we offer and then WHMCS will create an account for them based on these "custom quotas" or options chosen by the client without the need to have pre-made packages in WHM. This also means we don't have to create a "product" for each variation within WHMCS.

    The issues as it was explained to us is that Cpanel does not allow creation of accounts with "custom quotas" unless the creator / WHMCS is logged in as root, which is what I'm trying to confirm is the case.
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Unless a reseller is limited to specific packages for creation (and you've not indicated any limitations were put onto the non-root account), I do not see how this would be the case, but this is more of an API question than a general reseller question. It would be better placed in the developer discussion forum to ensure someone who understands the API fully could answer it. If you would like, I could copy the posts to that location as a new thread, or split them off from this thread to a new thread there, which would work better, since we've actually taken a turn from the original thread topic.
     
Loading...

Share This Page