How can resellers w dynamic IPs access WHM without constant firewall whitelisting?

[dfb121]

We use ConfigServer and require any WHM and SSH access to have IP whitelisted. If a users' IP is not whitelisted they can not connect and this causes problems for users with dynamic IPs (travel, ISP constantly changes their IP etc.)

Can anyone recommend a solution so we can continue to keep WHM and SSH access locked down without frustrating our resellers connecting from dynamic IPs?

Thanks!

Dan

 

[cPanelTristan]

Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

You could provide login access to another machine such as a VPN that has a static address for them to log into to then use to log into WHM for the resellers with a dynamic IP.

Otherwise, if the IP changes, you cannot use Host Access Control or some mechanism like it to lock out users based on IP address. You can always use Brute Force Protection, though, for whitelisting a set of IPs and those that are not whitelisted simply have to authenticate correctly.

 

[dfb121]

Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

And want to be clear that the WHM user's IP provided by their ISP is changing/dynamic. The whm server access IP does not change. So every time a traveler connects through a new ISP the IP they are connecting from changes. Currently we have to whitelist their ip every time it changes. We are hesitant to open up ssh and whm access to the world and risk brute force attacks.

You could provide login access to another machine such as a VPN that has a static address for them to log into to then use to log into WHM for the resellers with a dynamic IP.

Otherwise, if the IP changes, you cannot use Host Access Control or some mechanism like it to lock out users based on IP address. You can always use Brute Force Protection, though, for whitelisting a set of IPs and those that are not whitelisted simply have to authenticate correctly.

 

[cPanelTristan]

Re: How can resellers w dynamic IPs access WHM without constant firewall whitelisting

I understood the point of your post and that it concerned whitelisting IPs accessing WHM, which is why I mentioned cPHulk Brute Force Protection and Host Access Control, which are areas you whitelist incoming IPs that try to access a machine. The suggestion I provided was to give those users access to a VPN, which will have an unchanging IP, then they could use that VPN to log into WHM. The VPN IP could be whitelisted. Otherwise, a proxy server that has an unchanging IP could be used to proxy their browser connection, and again you could provide login information to that proxy which would then allow an unchanging IP that could access WHM for those users' login.

You cannot whitelist a dynamic IP. There is no way to perform such an action.

 

[amityweb]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

My current host [URL removed] have written a simple WHM Add on that allows me to enter a dynamic hostname (e.g. from DynDNS) and then enter the IP address for this as an Allow in the firewall. It runs every 5 mins or so and checks if the hostname IP has changed and if it has then update the firewall again. DynDNS is a service to update your hostname IP to your current dynamic IP.

This works very well, unfortunately they wont release it to use on other servers, so mny non-Clook servers do not have this protection.

Instead I have to open up SSH, cPanel, WHEN to the world just so a few customers on dynamic IP addesses can access them.

MANY people are on dynamic IP addresses, and I am amazed that cPanel does not support this yet, via hostnames that can update to the dynamic IP like the script Clook wrote.

Lately there has been a massive increased of hacking, and this is a very serious issue I believe cPanel should address more.

There are so many other things cPanel could do, for example, the next best thing after the above would be to also disallow upload scripts except from IP addresses on an ALLOW list.

This way, with SSH, cPanel, FTP and WHM all blocked, and then the software itself not allowing any upload, the server would be so much more secure. Without preventing upload of files from disallowed IP addresses every host in the world constantly has to keep updating and securing their scripts and we will always be one step behind hackers. So much time spent which could prevented if cPanel disallowed such certain PHP functions from all but an allowed list of IP addresses, which are updated from dynamic hostnames. Instead we have to open up SSH, FTP, cPanel, and WHM so user with dynanic IP addresses can access them, and host unsecure software scripts.

So I believe host software like cPanel could do so much more to help us secure our servers. Introducing this dynamic Ip update in the firewall from a DynDNS service is for one a massive increase in my server security, but I can only use it on [URL removed]

 

[cPanelTristan]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

We have a feature request forum area where you might want to post your suggestion, since that forum would be viewed for possible future implementations into the product:

http://go.cpanel.net/iwant

 

[brianoz]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

It's probably worth clearing up what appears to be confusion about how to use CSF in this thread.

Both of the issues described are simply a matter of configuring CSF correctly and there is no need for any change in cPanel as far as I can see.

Firstly, CSF does handle dynamic IP addresses in more recent versions. Check out the doco to turn it on - you simply add the dynamic addresses to csf.dyndns. I don't think it's in the UI, but it's certainly in CSF.

Secondly, if you are having to whitelist to allow access to SSH it's because you haven't listed it in the list of TCP_IN ports. If you had, it would be accessible without whitelisting. If you don't, you're having to run csf -a to allow that client IP to access all ports on your server. The other alternative, if you want something more secure, is to turn on port knocking, also in the CSF doco.

You should, I assume above, be running SSH on a non-standard port for a variety of reasons (to reduce log noise, to prevent scanners/common attacks etc) which will remove the issue of having SSH open. CSF provides good protection against SSH brute force so there's really no reason not to run it on on open - but non-22 - port. The port you choose should be nice and high and not obvious. eg not 2222 (too low, obvious) 22222 (perhaps obvious) etc.

 

[amityweb]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

Hi brianoz

Where you say this "you simply add the dynamic addresses to csf.dyndns", do you mean the actual IP address? Because this is the issue I was reporting... as its dynamic it will change often, and its not reasonable to keep updating it in CSF. So what we would need is to be able to enter a dynamic hostname (like that from DynDNS) which resolves to the IP and changes automatically. That way there is no need for constant updating when customers want to access the server.

So what is needed is either CPanel or CSF to support dynamic hostnames from a service such as DynDNS. Then we can all lock down the server and request customers setup dynamic hostnames.

I only mention it on Cpanel because it has the host access control facility that may be able to be updated to supported hostnames, and because my host have added a plugin in WHM to manage dynamic hostnames (although this updates the IP in CSF direct I believe so probably not a CPanel thing. just a plugin in it).

I also think this sort of thing should not be left to us to submit a feature request because in my mind this is just plain obvious security enhancement which Cpanel should be doing anyway. Its a no brainer!

Thanks

 

[brianoz]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

Hi brianoz

Where you say this "you simply add the dynamic addresses to csf.dyndns", do you mean the actual IP address?

Do you seriously think I would be suggesting entering the dynamic IP??? What good would that do????

If you would actually take a moment of your time and *read* the CSF documentation you'll see it already implements the solution you need, just as I said above, using the dynamic hostname to derive the actual IP as it changes. :p

I think CSF takes a few minutes to notice the new IP and change it's rules IP when it changes, but you should be right within 5 minutes from what brief comments I've read. Would be nice if you came back and confirmed how well it is working for you - or not - so we know.

 

[amityweb]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

Sorry, I was just quoting you, it said add the dynamic IP. So I assume you mean you can add the hostname to csf.dyndns and CSF will update the IP accordingly? If that's the case then that's good, although I am not very familiar with the CSF settings but can look into it now I know it does it.

 

[brianoz]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

Sorry, I did use vague language! Yes you add the hostname and CSF resolves it periodically. It's described in the readme file, but really I think you just add it to the file and that's all you have to do.

 

[amityweb]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

Just to update...

I have discovered how to add the dynamic hostname to CSF and it works! So this is excellent news. I wish cPanel or someone made a more user friendly interface because this is a massive help against hackers. One of my server hosts wrote a WHM add-on to manage the csf.dyndns file which makes it very easy to add new dyndns entries.

I followed the guide here:
/http://xmodx.com/guide-on-how-to-enable-dyndns-on-your-server/

Setting DYNDNS to 300 (every 5 mins)

In Firewall Configuration I also removed port 21 from the TCP and UDP allow ports to block FTP. And then removed some CPanel ports to block those.

Its all working great! So thanks a lot for your help, my server is far more secure.

 

[cwuser]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

I wish CPanel had feature to whitelist the machine hardware (MAC) address instead of we having install CSF or struggling with Dynamic IP address. Any thought or rejection?

 

[cPanelTristan]

Re: How can resellers w dynamic IPs access WHM without constant firewall wh

I would suggest opening up a feature request on it then at Feature Requests for cPanel/WHM