Host Access Control - Proxy Subdomains Bypass

mbd5882

mbd5882

Well-Known Member
Apr 30, 2005
59
0
156
United Kingdom
cPanel Access Level
Root Administrator
Hello,

I'm trying to block WHM access to our company network only. I created a Host Access Control rules as below.

whostmgrd OFFICEIP allow # Allow office staff access
whostmgrd LOCAL allow # Allow local API requests
whostmgrd ALL DENY # Deny all others access

This worked fine and all other IP addresses attempting to access WHM through ports 2086 and 2087 were given a forbidden message.

However, WHM can still be accessed through the cPanel proxy subdomains as whm.customerdomain.tld as this is through Apache.

How can I block WHM access through the proxy subdomains also? Is my only solution to disable the proxy subdomains?

I appreciate any help on this issue.

Regards,
Asad Haider
 
cPanelTristan

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello Asad,

That's a really good question that I've never realized that it was the case. I would have thought the wrapper itself for whostmgrd process couldn't be bypassed by proxy subdomains, but I've just tested this on my machine where I did a deny just for my IP for whostmgrd and whm.mydomain.com bypassed the restriction.

The only way I could see around this issue would be to only allow WHM on a dedicated IP that you aren't using for anything else, then to only allow that proxy subdomain for whm on that dedicated IP. At that point, you could restrict all port traffic to that IP to only the allowed IPs.

Alternatively, you could remove the whm proxy subdomain entirely and only have the others.

Thanks!
 
mbd5882

mbd5882

Well-Known Member
Apr 30, 2005
59
0
156
United Kingdom
cPanel Access Level
Root Administrator
Hi Tristan,

Sorry about the two threads, all our staff have access to this account so I should have posted it under here.

Thanks for looking into it, I thought you would be aware of the issue already. I came across it accidentally while testing if the blocking was working and couldn't find a fix or similar reported issue on the forums.

I guess I'll disable proxy subdomains for now to prevent access. We'll take a look into running it on a dedicated IP address and blocking it that way.

Would you guys be looking into this further? or letting people know about it?

Thanks,
Asad
 
cPanelTristan

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello Asad,

I'm going to go through our internal reports to see if anything is mentioned about it and then inquire about the issue. It isn't necessarily a bug, but it might well be something needing documented on our site if it hasn't been.

Since I was not aware of it, I'd imagine many others aren't aware of it either. There's no warning in either the proxy subdomains tweak setting nor in Host Access Control about these bypassing the restrictions.

Thanks!
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J Host access control. OK to deny all except for my static IP? Security 4
S Host Access Control error Security 3
R CSF versus Host Access Control to lock down WHM/cPanel mgmt Security 1
S How to tell which services aren't in active use, and can be safely blocked using Host Access Control? Security 7
keat63 Failed FTP login but Host Access Control configured to block Security 4
Similar threads
Host access control. OK to deny all except for my static IP?
Host Access Control error
CSF versus Host Access Control to lock down WHM/cPanel mgmt
How to tell which services aren't in active use, and can be safely blocked using Host Access Control?
Failed FTP login but Host Access Control configured to block
Top Bottom