The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can resellers w dynamic IPs access WHM without constant firewall whitelisting?

Discussion in 'Security' started by dfb121, Jun 30, 2011.

  1. dfb121

    dfb121 Registered

    Joined:
    Jul 29, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    We use ConfigServer and require any WHM and SSH access to have IP whitelisted. If a users' IP is not whitelisted they can not connect and this causes problems for users with dynamic IPs (travel, ISP constantly changes their IP etc.)

    Can anyone recommend a solution so we can continue to keep WHM and SSH access locked down without frustrating our resellers connecting from dynamic IPs?

    Thanks!

    Dan
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

    You could provide login access to another machine such as a VPN that has a static address for them to log into to then use to log into WHM for the resellers with a dynamic IP.

    Otherwise, if the IP changes, you cannot use Host Access Control or some mechanism like it to lock out users based on IP address. You can always use Brute Force Protection, though, for whitelisting a set of IPs and those that are not whitelisted simply have to authenticate correctly.
     
  3. dfb121

    dfb121 Registered

    Joined:
    Jul 29, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

    And want to be clear that the WHM user's IP provided by their ISP is changing/dynamic. The whm server access IP does not change. So every time a traveler connects through a new ISP the IP they are connecting from changes. Currently we have to whitelist their ip every time it changes. We are hesitant to open up ssh and whm access to the world and risk brute force attacks.

     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

    I understood the point of your post and that it concerned whitelisting IPs accessing WHM, which is why I mentioned cPHulk Brute Force Protection and Host Access Control, which are areas you whitelist incoming IPs that try to access a machine. The suggestion I provided was to give those users access to a VPN, which will have an unchanging IP, then they could use that VPN to log into WHM. The VPN IP could be whitelisted. Otherwise, a proxy server that has an unchanging IP could be used to proxy their browser connection, and again you could provide login information to that proxy which would then allow an unchanging IP that could access WHM for those users' login.

    You cannot whitelist a dynamic IP. There is no way to perform such an action.
     
  5. amityweb

    amityweb Member

    Joined:
    Nov 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    My current host [URL removed] have written a simple WHM Add on that allows me to enter a dynamic hostname (e.g. from DynDNS) and then enter the IP address for this as an Allow in the firewall. It runs every 5 mins or so and checks if the hostname IP has changed and if it has then update the firewall again. DynDNS is a service to update your hostname IP to your current dynamic IP.

    This works very well, unfortunately they wont release it to use on other servers, so mny non-Clook servers do not have this protection.

    Instead I have to open up SSH, cPanel, WHEN to the world just so a few customers on dynamic IP addesses can access them.

    MANY people are on dynamic IP addresses, and I am amazed that cPanel does not support this yet, via hostnames that can update to the dynamic IP like the script Clook wrote.

    Lately there has been a massive increased of hacking, and this is a very serious issue I believe cPanel should address more.

    There are so many other things cPanel could do, for example, the next best thing after the above would be to also disallow upload scripts except from IP addresses on an ALLOW list.

    This way, with SSH, cPanel, FTP and WHM all blocked, and then the software itself not allowing any upload, the server would be so much more secure. Without preventing upload of files from disallowed IP addresses every host in the world constantly has to keep updating and securing their scripts and we will always be one step behind hackers. So much time spent which could prevented if cPanel disallowed such certain PHP functions from all but an allowed list of IP addresses, which are updated from dynamic hostnames. Instead we have to open up SSH, FTP, cPanel, and WHM so user with dynanic IP addresses can access them, and host unsecure software scripts.

    So I believe host software like cPanel could do so much more to help us secure our servers. Introducing this dynamic Ip update in the firewall from a DynDNS service is for one a massive increase in my server security, but I can only use it on [URL removed]
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    We have a feature request forum area where you might want to post your suggestion, since that forum would be viewed for possible future implementations into the product:

    http://go.cpanel.net/iwant
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    It's probably worth clearing up what appears to be confusion about how to use CSF in this thread.

    Both of the issues described are simply a matter of configuring CSF correctly and there is no need for any change in cPanel as far as I can see.

    Firstly, CSF does handle dynamic IP addresses in more recent versions. Check out the doco to turn it on - you simply add the dynamic addresses to csf.dyndns. I don't think it's in the UI, but it's certainly in CSF.

    Secondly, if you are having to whitelist to allow access to SSH it's because you haven't listed it in the list of TCP_IN ports. If you had, it would be accessible without whitelisting. If you don't, you're having to run csf -a to allow that client IP to access all ports on your server. The other alternative, if you want something more secure, is to turn on port knocking, also in the CSF doco.

    You should, I assume above, be running SSH on a non-standard port for a variety of reasons (to reduce log noise, to prevent scanners/common attacks etc) which will remove the issue of having SSH open. CSF provides good protection against SSH brute force so there's really no reason not to run it on on open - but non-22 - port. The port you choose should be nice and high and not obvious. eg not 2222 (too low, obvious) 22222 (perhaps obvious) etc.
     
    #7 brianoz, Nov 20, 2011
    Last edited: Nov 20, 2011
  8. amityweb

    amityweb Member

    Joined:
    Nov 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    Hi brianoz

    Where you say this "you simply add the dynamic addresses to csf.dyndns", do you mean the actual IP address? Because this is the issue I was reporting... as its dynamic it will change often, and its not reasonable to keep updating it in CSF. So what we would need is to be able to enter a dynamic hostname (like that from DynDNS) which resolves to the IP and changes automatically. That way there is no need for constant updating when customers want to access the server.

    So what is needed is either CPanel or CSF to support dynamic hostnames from a service such as DynDNS. Then we can all lock down the server and request customers setup dynamic hostnames.

    I only mention it on Cpanel because it has the host access control facility that may be able to be updated to supported hostnames, and because my host have added a plugin in WHM to manage dynamic hostnames (although this updates the IP in CSF direct I believe so probably not a CPanel thing. just a plugin in it).

    I also think this sort of thing should not be left to us to submit a feature request because in my mind this is just plain obvious security enhancement which Cpanel should be doing anyway. Its a no brainer!

    Thanks
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    Do you seriously think I would be suggesting entering the dynamic IP??? What good would that do????

    If you would actually take a moment of your time and *read* the CSF documentation you'll see it already implements the solution you need, just as I said above, using the dynamic hostname to derive the actual IP as it changes. :p

    I think CSF takes a few minutes to notice the new IP and change it's rules IP when it changes, but you should be right within 5 minutes from what brief comments I've read. Would be nice if you came back and confirmed how well it is working for you - or not - so we know.
     
  10. amityweb

    amityweb Member

    Joined:
    Nov 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    Sorry, I was just quoting you, it said add the dynamic IP. So I assume you mean you can add the hostname to csf.dyndns and CSF will update the IP accordingly? If that's the case then that's good, although I am not very familiar with the CSF settings but can look into it now I know it does it.
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    Sorry, I did use vague language! Yes you add the hostname and CSF resolves it periodically. It's described in the readme file, but really I think you just add it to the file and that's all you have to do.
     
  12. amityweb

    amityweb Member

    Joined:
    Nov 16, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    Just to update...

    I have discovered how to add the dynamic hostname to CSF and it works! So this is excellent news. I wish cPanel or someone made a more user friendly interface because this is a massive help against hackers. One of my server hosts wrote a WHM add-on to manage the csf.dyndns file which makes it very easy to add new dyndns entries.

    I followed the guide here:
    /http://xmodx.com/guide-on-how-to-enable-dyndns-on-your-server/

    Setting DYNDNS to 300 (every 5 mins)

    In Firewall Configuration I also removed port 21 from the TCP and UDP allow ports to block FTP. And then removed some CPanel ports to block those.

    Its all working great! So thanks a lot for your help, my server is far more secure.
     
  13. cwuser

    cwuser Active Member

    Joined:
    Jun 29, 2007
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    I wish CPanel had feature to whitelist the machine hardware (MAC) address instead of we having install CSF or struggling with Dynamic IP address. Any thought or rejection?
     
    #13 cwuser, Jun 6, 2012
    Last edited: Jun 6, 2012
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How can resellers w dynamic IPs access WHM without constant firewall wh

    I would suggest opening up a feature request on it then at Feature Requests for cPanel/WHM
     
Loading...

Share This Page