Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Filtering automatic login to WHM from WHMCS

Discussion in 'Security' started by Remitur, Nov 23, 2018.

  1. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    Hello.

    I've a WHMCS install, which manages two different cPanel servers.
    My "reseller users" may login to WHM:
    1. directly, accessing the cPanel server WHM interface, using username + password + 2FA

    2. or from their own WHMCS account (simply clicking on "login to WHM"), without the need to use username + password + 2FA
    The question is: does exist any way to make "2" (API access) possible only from my own WHMCS server?
    That's to say: any way to firewall/filter/block any other access attempt of the same kind coming from different IP?
    I can't simply filter port :2087, because doing so I would block also direct, legit access to WHM using credentiials + 2FA ... :-/

    It would be nice to configure WHM in order to accept API WHM access on a port different from :2087, and block this port... but it seems this is impossible:
    Guide to API Authentication - API Tokens - Developer Documentation - cPanel Documentation

    API calls that use a method that includes a URL must use the correct port:
    [...]
    2087 — Secure calls to WHM's APIs, or to cPanel's APIs via the WHM API.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Remitur,

    Restricting access to whostmgrd on a per-IP address basis is possible using WHM >> Host Access Control, however as you noted this will restrict access to both the WHM UI and WHM API 1 functions. Restricting access to the WHM UI, while at the same time allowing access to use WHM API 1 functionality, isn't supported.

    Can you provide more information about why you'd like to do this? The reseller can perform the same tasks from the WHM UI that they can perform using a WHM API 1 function.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Remitur likes this.
  3. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    Access to WHM by the user can be protected by 2FA, so API access can be more weak (i.e. I can imagine another system trying a sort of brute force via API calls)
    So, if I would be able to limit API access by an IP whitelisting, it would be much sure...

    I guess it would be sufficient to manage web interface login and API calls on two different ports, so I can protect the first by 2FA, and the second by IP whitelisting...
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Remitur,

    Can you provide a step-by-step example of the method in which a user can bypass the 2FA requirement to execute API functions. This will allow me to reproduce the behavior and better understand the specific scenario you are describing.

    For anyone else seeing this thread, here's a link to the WHMCS single-sign on document that explains how this works from the WHMCS perspective:

    CPanel Single Sign-On - WHMCS Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    @cPanelMichael

    To configure a cPanel server in WHMCS, all I need is to specify its IP and an API Key (or even username and password to access WHM with administrator privileges)
    CPanel/WHM - WHMCS Documentation

    WHMCS will do a sort of API call in order to allow the admin (which is yet logged in WHMCS) to trasparently login in WHM too.

    So, it's easy to imagine an external system which does a brute force against the cPanel server, simply making a lot of those same API calls trying different passwords (password is weaker than API key, and so easier to broken)...
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Remitur,

    If I understand correctly, your concern is that by giving WHMCS access to your system through an API token or through the root password, WHMCS is granted the ability to generate login sessions that can be used to access cPanel & WHM without two-factor authentication. If so, I believe enabling two-factor authentication for WHMCS would address your concern:

    Two Factor Authentication | WHMCS

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    Not exactly...

    Let me explain: to login directly into WHM, a human user needs username, password and 2FA.
    So brute force is impossible, and also password stealing is not useful.

    But to login into WHM using API using (I guess) get_loggedin_url() it's required just username and password.

    So, first case: I'm a bad cracker, and have stolen the password of my collegue.
    I can't directly log in, because I have not his smartphone... but I can set up a server, which will do get_loggedin_url() on cpanel and so I'll be in... bypassing 2FA

    Second case: I'm a brute-force-cracker.
    My target is a cpanel server.
    All I need to do is to write a script which every hour will do one thousand of get_loggedin_url() against my target, trying various and different username/passwords... if no one stop me, in few weeks I'll be in... bypassing 2FA.
    (note: This second one will not work if brute-force protections works also on API calls... but I don't know if it's so)
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Remitur,

    I'm not able to reproduce the behavior you have described using the steps below:

    1. Enable 2FA via WHM >> Two Factor Authentication.
    2. Require 2FA via WHM >> Configure Security Policies.
    3. Access an account via cPanel or WHM to setup the authentication app.
    4. Create the test Perl script found at the bottom of the Secure Remote Logins document on a remote server.
    5. Populate the Perl script with the account/server details and then execute it.
    6. Take the URL from the output and enter it in a web browser.
    7. Notice it requests the 2FA code.

    Can you check and confirm that you have required 2FA in WHM >> Configure Security Policies? You can read more about this option
    at:

    Configure Security Policies - Version 76 Documentation - cPanel Documentation

    If you wanted to take it a step further, you could extend the additional security policies to API functions by enabling API requests on the option linked above.

    Regarding your question about cPHulk, it will detect failed login attempts on the corresponding service it's monitoring. In the case of cPanel/WHM/Webmail logins, it will detect the failed login attempts even if the authentication attempt occurs through a script making use of our API.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    I guess that WHMCS's guys found another way to allow the user to log-in via API, without 2FA... :-/

    I describe what I'm experiencing:

    - I go to www.mycpanelserver.com:2087
    - I'm asked for username and password; I specify "root" and password
    - I'm asked for "security code": I give it and I'm in

    So, 2FA is active for "root", right?

    Then, let's go to WHMCS
    I go to "setup" => "Products " => "servers"
    I choose my yet configured cpanel server ( mycpanelserver.com ), just click on "Login to WHM" ... and I'm in, without the asking for 2FA

    Note: this happens for administrative interface ("root"), but it works also for resellers (who can access WHM using 2FA, but can access WHM also directly from their client area in WHMCS).
    And I guess (not yet tested) it works also so for users to access their cPanel interface (mycpanelserver.com:2083 )
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Remitur,

    Can you take a screenshot of how WHM >> Configure Security Policies is configured on this system and post it here?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
     

    Attached Files:

  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @Remitur,

    Can you enable API requests via WHM >> Configure Security Policies and verify if you're still able to do this?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. baronn

    baronn Member

    Joined:
    Dec 27, 2017
    Messages:
    24
    Likes Received:
    6
    Trophy Points:
    3
    Location:
    manchester
    cPanel Access Level:
    Root Administrator
    Can you not use the API restriction avliable in whmcs: Security Tab - WHMCS Documentation to stop external URLs accessing the API and remotleycalling the API to login? That should kind of sort the WHMCS part out I think
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Remitur

    Remitur Active Member

    Joined:
    Jan 17, 2018
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Ljubljana
    cPanel Access Level:
    Root Administrator
    I looked for a way to do the test but, being production environment, without success... :-(

    I have a WHMCS test environment available, but have not a cpanel test environment... can you arrange any cpanel test environment for a quick test?
     
  15. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @Remitur,

    That's not something we can arrange because it involves the transmission of your WHMCS test environment authentication details. However, you should be able to reach out to the WHMCS support team to verify the option will work as intended. Let us know what their answer is.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice