The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable WHM access

Discussion in 'Security' started by braweb, Jun 23, 2010.

  1. braweb

    braweb Member

    Joined:
    Dec 20, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    Hello,

    I closed the port of WHM using my firewall and only permit access from determinate IP address. But cPanel create a proxy that permit users to access using whm.domain.com.

    In out httpd.conf we can delete this lines:
    RewriteCond %{HTTP_HOST} ^whm\.
    RewriteCond %{HTTPS} on
    RewriteRule ^/(.*) https://127.0.0.1:2087/$1 [P]

    But upcp or something overwrite the file and enable access again to whm using a subdomain of the client domain.

    How can I permanently disable this access?

    Thank you!
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The applicable virtual host entry in the Apache configuration file (httpd.conf) is only created if the proxy sub-domains feature is enabled via the Tweak Settings page in WHM. To disable proxy sub-domains, simply access WHM and use the Tweak Settings page to disable the applicable configuration option(s) within the Domains section.

    For reference, here is the full menu path to follow in WHM (with linked documentation):
    WHM: Main >> Server Configuration >> Tweak Settings >> Domains
     
    #2 cPanelDon, Jun 23, 2010
    Last edited: Jun 23, 2010
  3. braweb

    braweb Member

    Joined:
    Dec 20, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    Hello,

    Thank you for your quick response. The option that you refer is: "Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)"?

    When I disable this option, it's still in httpd.conf, should I remove it manually or I should run a script to update the file?

    Thank you!
     
  4. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To help clarify, there are a few options that are related to proxy sub-domains.

    In cPanel version 11.25.1:
    Menu Path: WHM: Main >> Server Configuration >> Tweak Settings >> Domains
    • Proxy subdomains [?] Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
    • Proxy subdomain creation [?] Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)
    • Proxy subdomain override [?] Allow users to create cpanel, webmail, webdisk and whm subdomains that override automatically generated proxy subdomains

    In cPanel version 11.25.0:
    Menu Path: WHM: Main >> Server Configuration >> Tweak Settings >> Domains
    • Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
    • Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)
    • Allow users to create cpanel, webmail, webdisk and whm subdomains that override automatically generated proxy subdomains

    To disable proxy sub-domains, you will want to disable the option that adds the proxy virtual host into the Apache/httpd (web server) configuration; as listed above it is the first option described.
     
  5. thobarn

    thobarn Well-Known Member

    Joined:
    Apr 25, 2008
    Messages:
    153
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    sanctum sanctorum
    FWIW, having those options unchecked is ineffective since each time httpd.conf is built after an EA run, aliases are added to the httpd.conf that will do the same thing as DNS entries.
     
  6. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    Hello,

    I wanted to ask if there's a reason that a firewall rule was chosen over using WHM > Host Access Control area. This area will actually allow only IPs you want allowed for whostmgrd (this is WHM ) and deny any others. This does work on proxy subdomains without having to disable proxy subdomains for webmail and cPanel or make any changes to httpd.conf in any way at all.

    To use it, simply go to WHM > Host Access Control area. In there put something like the following:

    Code:
    Daemon     Access List  Action  	Comment
    whostmgrd  YourIP       allow
    whostmgrd  all          deny
    Please note that the above will allow your IP and then deny any others for WHM access. You can put any of the IPs you want to allow above the deny line. The deny line must be below the allow entries (similar to how iptables itself requires ACCEPT rules before DROP ones). If you wanted to use this also for SSH access, you could put entries in Host Access Control for sshd

    Additionally, the file where these rules will save will be /etc/hosts.allow file. This is a wrapper script and not directly in iptables itself. This is one reason it can interact with processes like sshd and whostmgrd and will work with the proxy subdomains to block WHM access.
     
    #6 Miraenda, Jul 6, 2010
    Last edited: Jul 6, 2010
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    After changing the Tweak Settings that cPanelDon mentioned you'll need to remove the existing entries. This can be done using the /scripts/proxydomains utility. To remove the proxy entries for all accounts the following will suffice:

    Code:
    # /scripts/proxydomains remove
    
    If you want to remove for specific accounts or domains then you can use the --user or --domain parameters. Executing the script with --man will give you the complete documentation on this utility.

    Once removal is complete, rebuild your httpd.conf file ( /scripts/rebuildhttpdconf) and the Proxy entries should be gone.

    Please note that the aliases do not perform the same actions as the Proxy entries. The aliases redirect the browser to a specific port (e.g. 2083) whereas the Proxy entries keep the browser on port 80 and performs an internal redirect to the appropriate cPanel port.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,461
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
Loading...

Share This Page