Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Host Access Control - Proxy Subdomains Bypass

Discussion in 'Security' started by mbd5882, Jul 28, 2012.

  1. mbd5882

    mbd5882 Well-Known Member

    Joined:
    Apr 30, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm trying to block WHM access to our company network only. I created a Host Access Control rules as below.

    whostmgrd OFFICEIP allow # Allow office staff access
    whostmgrd LOCAL allow # Allow local API requests
    whostmgrd ALL DENY # Deny all others access

    This worked fine and all other IP addresses attempting to access WHM through ports 2086 and 2087 were given a forbidden message.

    However, WHM can still be accessed through the cPanel proxy subdomains as whm.customerdomain.tld as this is through Apache.

    How can I block WHM access through the proxy subdomains also? Is my only solution to disable the proxy subdomains?

    I appreciate any help on this issue.

    Regards,
    Asad Haider
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 mbd5882, Jul 28, 2012
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,606
    Likes Received:
    33
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Asad,

    That's a really good question that I've never realized that it was the case. I would have thought the wrapper itself for whostmgrd process couldn't be bypassed by proxy subdomains, but I've just tested this on my machine where I did a deny just for my IP for whostmgrd and whm.mydomain.com bypassed the restriction.

    The only way I could see around this issue would be to only allow WHM on a dedicated IP that you aren't using for anything else, then to only allow that proxy subdomain for whm on that dedicated IP. At that point, you could restrict all port traffic to that IP to only the allowed IPs.

    Alternatively, you could remove the whm proxy subdomain entirely and only have the others.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelTristan, Jul 28, 2012
  3. mbd5882

    mbd5882 Well-Known Member

    Joined:
    Apr 30, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi Tristan,

    Sorry about the two threads, all our staff have access to this account so I should have posted it under here.

    Thanks for looking into it, I thought you would be aware of the issue already. I came across it accidentally while testing if the blocking was working and couldn't find a fix or similar reported issue on the forums.

    I guess I'll disable proxy subdomains for now to prevent access. We'll take a look into running it on a dedicated IP address and blocking it that way.

    Would you guys be looking into this further? or letting people know about it?

    Thanks,
    Asad
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 mbd5882, Jul 28, 2012
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,606
    Likes Received:
    33
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Asad,

    I'm going to go through our internal reports to see if anything is mentioned about it and then inquire about the issue. It isn't necessarily a bug, but it might well be something needing documented on our site if it hasn't been.

    Since I was not aware of it, I'd imagine many others aren't aware of it either. There's no warning in either the proxy subdomains tweak setting nor in Host Access Control about these bypassing the restrictions.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelTristan, Jul 28, 2012
(You must log in or sign up to post here.)
Loading...
Similar Threads - Host Access Control
  1. Kamil Brand Nova

    Blacklisting IP's in Host Access Control blocks FTP connections?

    Kamil Brand Nova, Dec 14, 2018, in forum: Security
    Replies:
    1
    Views:
    324
    cPanelMichael
    Dec 17, 2018
  2. vponteras

    Mail Security Using Host Access Control?

    vponteras, Sep 19, 2018, in forum: Security
    Replies:
    1
    Views:
    148
    cPanelMichael
    Sep 21, 2018
  3. Samet Chan

    SOLVED FTP - host access control issue.

    Samet Chan, Jul 3, 2018, in forum: General Discussion
    Replies:
    5
    Views:
    362
    cPanelLauren
    Jul 6, 2018
  4. Sametto Chan

    Host Access Control - Access List pixel is small.

    Sametto Chan, Aug 23, 2017, in forum: General Discussion
    Replies:
    8
    Views:
    432
    cPanelMichael
    Aug 23, 2017
  5. cornishman33

    Host Access Control Irregularity?

    cornishman33, Aug 3, 2017, in forum: Security
    Replies:
    4
    Views:
    447
    cornishman33
    Aug 3, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice