The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to allow cpanel/whm access via https only?

Discussion in 'General Discussion' started by Roberto, Jan 18, 2004.

Thread Status:
Not open for further replies.
  1. Roberto

    Roberto Active Member

    Joined:
    Jul 9, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
  2. Roberto

    Roberto Active Member

    Joined:
    Jul 9, 2003
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    I am not sure, but I didn't do it! :P
     
  3. cosmin

    cosmin Well-Known Member

    Joined:
    Feb 6, 2002
    Messages:
    150
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucuresti
    Can block the port 2082 and 2086. From iptables.
     
  4. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Use a firewall.

    That is no luxery in these hackingtimes ;)

    APF is a real good one.
    Then close the ports.
     
  5. foxboy

    foxboy Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    then edit your httpd.conf to redirect all /cpanel traffic to the ssl ports.
     
  6. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    This sounds great! But is it really needed? Has anyone had a password stolen while logging into cPanel or WHM via http? Or is there another reason to https the urls?
     
  7. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Why do you think that companys like paypal and banks use ssl? For the same reason I do.

    Safety first... because you'll never know.

    I just want to be certain! Do you want to take the risk?

    They developt it for your own security, not for fun!



    :p
     
  8. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    I understand the reason why you want to do this & think it is smart but I just wanted to know if the http way is that unsecure? & There are trade offs since https takes longer to load then http. I wasn't critising you just curious!
     
  9. allenhui

    allenhui Well-Known Member

    Joined:
    Aug 17, 2003
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    http can easily hacked within the same switch of other server.
    SSL also..but need a higher level.
    I am also find ways to force user to use ssl instead of http.I try to block the port but it fail in both 2086 and 2087.
    Have anyone already do the things?
     
  10. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    I'd also like to know a workaround to this, anyone?
     
  11. bitstream

    bitstream Member

    Joined:
    May 18, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Las Vegas, NV
    try apf firewall

    I would recommend you give APF firewall a try - it is very easy to install, and you can easily block individual ports.

    I would highly recommend you use SSL whenever possible - take a few computer security courses and you will see exactly how easy it is to get all kinds of info over a non-secure connection. All it takes is a knoppix CD and a few "network monitoring" (hacking) tools and you can pick up almost anything sent in plain text.

    Same reason telnet should be disabled on everyone's servers - never send a password in clear text if you can help it.

    edit: apf firewall page - http://www.rfxnetworks.org
     
  12. allenhui

    allenhui Well-Known Member

    Joined:
    Aug 17, 2003
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Re: try apf firewall

    I agree with you.APF is easily install and clear listing the port you want to block for your server.
     
  13. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yes apf is verry good and easy to work with
     
  14. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
  15. Donna

    Donna BANNED

    Joined:
    Feb 15, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Toronto, Canada
    How about this... make the https work right.

    Right now with 35 servers, only have the cpanel's now work and you can't shut the damn thing off to allow regular http access again.
     
  16. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Firewalls are adefinite good idea, but here's a quick fix:

    iptables -A INPUT -i eth0 -p tcp --dport <cpanel insecure port) -j REJECT

    iptables -A INPUT -i eth0 -p tcp --dport <whm insecure port> -j REJECT

    If you like that, find a way to work it into rc.d, so it runs whenever your server boots.

    This works because ssl is routed from ssltunneld into the local loopback interface, which is not eth0.

    Of note, a password from ssl could still be sniffed if someone rooted the server, but I think you'd have more to worry about in that case

    Regards,
    Erek Dyskant
    Unix Consultant

    *DISCLAIMER* I haven't tested this code on a live server.
     
    #16 dysk, Feb 7, 2004
    Last edited: Feb 13, 2004
  17. BigBamboo

    BigBamboo Active Member

    Joined:
    Jan 5, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    WHM 8.8 has this option in the Tweak Settings page:

    When users access /cpanel or /whm or /webmail on their domain redirect them to the https(ssl) port instead of the insecure one

    ;c)
     
  18. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Hi-
    Thanks for pointing out that it is possible through tweak settings, it is nice that we don't have to edit the apache config anymore.
    Of note, that still allows users to use the insecure port, just defaults them to the secure one...


    Regards,
    Erek
     
  19. BigBamboo

    BigBamboo Active Member

    Joined:
    Jan 5, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    True, so if you need high security you still have to close those insecure ports ;c)
     
  20. @home

    @home Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Like said earlier use a firewall like apf.

    close al not used ports.

    Here you find a list of ports that need to bee open (don't add 2082 2086 2095 offcourse)

    http://faq.cpanel.net/list.cgi

    Here is a howto for apf

    http://forum.rackshack.net/showthread.php?s=&threadid=28482&highlight=apf

    use in Tweaksettings the unsecure>secure forward

    When users type http://domain.com/cpanel or http://domain.com/whm they will go to https.

    TIP!! buy a ssl cert for cpanel so your customers don't get that annoying popup whwn they log in.

    Martin
     
Loading...
Thread Status:
Not open for further replies.

Share This Page