Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

GDPR for dedicated Server

Discussion in 'Security' started by fullfatdesigns, Mar 25, 2018.

Tags:
  1. fullfatdesigns

    fullfatdesigns Well-Known Member

    Joined:
    Aug 1, 2014
    Messages:
    53
    Likes Received:
    8
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi

    I've been reading up on GDPR to advise our client on changes to their websites, but I'm after peoples view on what we need to do on our server.

    We have a dedicated server with about 20 websites on which back-ups to Amazon S3 every night (keeps 2 weeks worth). The whm/cpanel is on a https and if all the sites are switched to https (some are anyway), is there anything else I need to put in place?

    Just after peoples views as I couldn't seem to find any guide for the actual server, just what to do on the websites.

    Thanks
    Wayne
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,173
    Likes Received:
    371
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. fullfatdesigns

    fullfatdesigns Well-Known Member

    Joined:
    Aug 1, 2014
    Messages:
    53
    Likes Received:
    8
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Brilliant, thank you. I'll check it out. I didn't think to search the main site, only searched the forums.
     
    Infopro likes this.
  4. james1985

    james1985 Member

    Joined:
    Sep 24, 2016
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Barry
    cPanel Access Level:
    Root Administrator
    The blog doesn’t really explain how to make a cPanel server GDPR compliant unless I missed something?

    Do you have a full rundown of tweaks and changes that need to be made to comply with the legislation passed some time ago??

    I was under the impression that all backups need to be encrypted where stored?

    Also I feel the email system is lacking security, for example if a cPanel login was compromised, you can easily click and view peoples emails in cPanel? Shouldn’t the email system be more secure? Even against server admins, Ask for the password? Even encrypted? A lot of personal information can be held in emails, with cPanel, one click and you can see all emails in plain text In webmail.

    Many Admin teams as we know are located outside the EU and with the new legislation bringing in the tightening of data leaving the EU, is it possible to help secure clients data on the server from such security risks?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,740
    Likes Received:
    1,796
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @james1985,

    Here are a couple of quotes from the blog post related to how you can approach GDPR compliance for your own company:

    As far as encrypted backups and emails, those are not direct features offered with the cPanel & WHM product at this time, but you can find discussion of such features with potential solutions at:

    Backups - encryption of backups (symmetric and asymmetric)
    Email storage encryption

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    276
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    The GDPR is not 100% the same in every European country. Local law can overrule same passages. cPanel Inc. has to first ensure they get their stuff right (e.g what gets transmitted from every cPanel/WHM installation towards cPanel Inc.). The most complex thing seem to be able to export everything you saved about person and hand it over to that person at any point. That is the right of every user hitting a server.

    The most basic thing cPanel could offer would be a tool, which removes IPs from logs. Or shortens IPs or replaces IPs with hashes.
    E.g. scripts like this https://www.privacyfoundation.ch/en/services/anonip.html

    You can see such tools around web analytics tools for years to be in compliance with certain European countries. GDPR makes the IP address a personal data of the user (even when the IP is assigned dynamically via the ISP of a user).

    You will see more and more threads here in the future.
    E.g. GDPR and Statistical Analytics

    European webhosting companies which base their business on cPanel or other controlpanels will need to invest more time to customize the setups or demand features.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,740
    Likes Received:
    1,796
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @lorio,

    Thank you for taking the time to provide us with feedback on this topic. I encourage you to open a feature request for this at:

    Submit A Feature Request

    Note that our feature request website is currently undergoing maintenance, but should resume functioning soon.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. DennisMidjord

    DennisMidjord Well-Known Member

    Joined:
    Sep 27, 2016
    Messages:
    129
    Likes Received:
    8
    Trophy Points:
    18
    Location:
    Denmark
    cPanel Access Level:
    Root Administrator
    Is this really required now? Should the IP be removed from the log files?
    Seems like a very bad idea.
     
    Kent Brockman likes this.
  9. Dan70

    Dan70 Member

    Joined:
    May 18, 2016
    Messages:
    19
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Hamburg
    cPanel Access Level:
    Root Administrator
    as I understand it, at least we have to tell visitors how long we store data and for what...and IP is "personal" data, even though only governments - and guys like facebook and google - can put a name behind an IP - I cannot
     
    #9 Dan70, Apr 30, 2018
    Last edited: Apr 30, 2018
  10. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    276
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Since a lot of data is lost there, I no longer feel encouraged to use the feature request tool at the moment.

    Since GDPR is around the corner, I have the feeling the European cPanel Reseller will see a reaction in the market.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    276
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    Think about static IPs.

    But GDPR is not preventing storing everything. You need a reason and you need to protect the data. And prove that you protect the data.

    I see to areas with a high priority:
    1. Logfiles: I would like to see a way, to limit and control storage of IP data in cPanel. E.g. store seven days and after that delete IP or make a hash.
    2. Encryption on backuproutines (PublicKey-Encryption and symmetric encryption as an option).

    To make this happen you need to change core routines of cPanel/WHM. So no quick change overnight.

    E.g. Wordpress has recognized the need for change at the core.
    gdpr-compliance – Make WordPress Core

    cPanel/WHM is a a collection of software. So a lot more work to get everything under control.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,740
    Likes Received:
    1,796
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @lorio,

    I can understand the sentiment, but I do want to note that additional redundancy is now in place to help prevent that from happening again in the future. If there were any specific feature requests that you opened or contributed to in the past that no longer exist, let me know and we'll work on getting those added back on your behalf.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Kent Brockman likes this.
  13. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    110
    Likes Received:
    10
    Trophy Points:
    68
    Hi I've just had a call from an IT client. He has asked many questions regarding encryption of emails for GDPR compliance. I'm sure this applies to many people and I can't find a definitive answer.

    If a website has https, the web visitor enters their data, it's encrypted and sent via PHP to EXIM/Dovecot and into the users inbox, where they then use an email client to read it (SSL on).

    1 - The email logs store ip addresses which is identifiable info, I said that GDPR does not say we can't store data, only that there needs to be transparency how long for.

    More importantly...

    2 - The emails are stored unencrypted in the users mail folder. My client asked if his account was compromised could the hacker read the emails, ie they could upload the mail folder to another server and read all the emails (with a permission change)

    I pointed out that the way EXIM works is not going to change overnight because of GDPR and that we cannot change open source software which is built into Cpanel to make it GDPR compliant, we can only highlight this with our software providers, who are also responsible, ie Cpanel.

    3 - If data is stored in a mysql data base are you encrypting my database?
    My answer - We supply mysql as part of your hosting package, mysql is again open source software, we supply the "service".
    But, he said, you are responsible for the data as a data processor. You should be encrypting my database and emails to be compliant.

    4 - Are all backups in the EU, luckily we do have all backups locally or in the EU. He didn't raise the question of encrypted backups, but I"m sure this one will come soon!
    Again, yes, we are the data processors but can't encrypt if the tools we have do not give us that functionality.

    It seems hosting companies are being loaded with all this but the tools to meet obligations are not actually available if you use Cpanel? Or are the obligations being over emphasised because the customers are passing the buck?

    We do all we can do with the tools we have and are very vigilant on security, we already do so much the customers don't care to pay for. Noone cares about backups until they lose their sites, they don't actually want to pay for anything extra, ie hourly backups, but then demand the backups are encrypted.

    I'm sure this is sending everyone in twist, appreciate comments!
     
  14. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    110
    Likes Received:
    10
    Trophy Points:
    68
    ps when will I get opt in from the nigerian spammer who says I can have half of his million pounds?
     
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,740
    Likes Received:
    1,796
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @uk01,

    I've merged your post into this thread.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice