How to tell which services aren't in active use, and can be safely blocked using Host Access Control?

[spaceman]

Hi All,

I've just become aware of Host Access Control

Host Access Control | cPanel & WHM Documentation

Use this interface to allow or deny (block) access to services for specific IP addresses.

docs.cpanel.net

The documentation says:

-------------------------------------------------
Use this interface to allow or deny (block) access to the following services for specific IP addresses:

• cPanel (cpaneld)
• WHM (whostmgrd)
• Webmail (webmaild)
• Web Disk (cpdavd)
• FTP (ftpd)
• SSH (sshd)
• SMTP (smtp)
• POP3 (pop3)
• IMAP (imap)

-------------------------------------------------

One of the first principles of good security is "less is more", right? The less services that are running/accessible, the less potential vulnerabilities there are to exploit.

But sys admins don't want to go around, deny access to services, if those services are in active use.

The non-customer-centric way to work this out is to deny access to a server, see if any customers complain, and consider un-denying access if you have to (e.g. if the customer can't use an alternative service instead).

So the customer-centric way is to work which method is best, per service (webmail, web disk, etc.) to confidently detect which is in (legitimate) active use, and which is not.

So my question to this forum is: what's the best, most authoritative method of detecting which of the above services are in active use (and which accounts are using them), per WHM server?

Reviewing log files, presumably? Specific search strings of specific log files for specific services?

Thanks in anticipation,

Ross

 

[cPanelLauren]

Hello,

I understand the end goal here but I feel the need to clarify, host access control, controls access to services. These services listed are pretty basic Webhosting services. That being said as a system administrator or provider the better way to go about this is to determine which services you want to offer to your clients.

• WHM: (whostmgr): Most providers restrict access to IPs authorized to access WHM and deny all others
• cPanel (cpaneld): If you have a lot of accounts it doesn't make sense to restrict this - your users would need to access and unless you have all of their static IP addresses (i.e., none of them have dynamic IP's or manage their cPanel account from other IP's) they wouldn't be able to access this to manage their accounts.
• WebDisk (cpdavd): This service encompasses more than just webdisk, cpdavd also manages contacts and calendars - this is a service most customers want/need with their webmail
• FTP (ftpd): This is FTP - if you want your users to be able to use FTP and you don't have the specific IP's they'll be accessing it you'll want to leave this alone
• SSH (sshd): Do you provide shell access to your users? If not you can restrict this to just administrative IP's that you want to be able to access the server through the command line
• SMTP (smtp): This is your SMTP mail server. In most cases you do not want to restrict this.
• POP3 (pop3): This is the pop3 mail protocol most users set their clients up using IMAP but you may not want to restrict this to allow them the option to use POP3 instead
• IMAP (imap): The most popular mail protocol and if you disable this most mail functions on the server for your users will not be able to function properly.

You can also read the documentation here which may be helpful: Host Access Control | cPanel & WHM Documentation

 

[spaceman]

Thanks for that reply Lauren, and for clarifying/reminding the core functionality that can be affected by changes to host access control functionality in WHM.

Host access control functionality aside, yes, the underlying request here is for cPanel/WHM to think harder about who best to provide more options to shut down non-essential and/or non-used services on a server.

cPanel/WHM is great for general purpose website hosting requirements. It's got all the bells and whistles, and then some. BUT IMHO it faces an ever-growing threat from specialist/niche hosting services that, for example, claim to be 'optimised' for hosting WordPress sites, or Drupal sites, etc.

I've been hosting websites on cPanel/WHM for 20 years (!). But it's becoming increasingly hard for me to ignore these specialist hosting services (WP Engine, Flywheel, etc.) because of their optimised nature, which in theory should translate into better security, less complexity, happier clients and better ROI for our company.

I recognise that cPanel/WHM can't be all things to all people. BUT I recommend that you could go a long way towards reducing the competitive threat by offering up quick easy ways to customise/optimise cPanel/WHM for named applications.

 

[cPanelLauren]

@spaceman

I"m curious what you feel would improve cPanel for you users exactly? Beyond optimizing for a CMS such as WordPress.

Keep in mind as well that hosting services aren't what cPanel & WHM do, we don't provide hosting, rather we provide the platform to do so, which quite a few of these providers use.

 

[spaceman]

"what you feel would improve cPanel for you users exactly? "

That's a huge question!

A complete answer would require a head-to-toe review of all major and minor features of cPanel & WHM.

So sorry I can't be more specific, except to point you back to my original post, which is to observe that your software delivers a wide array of features and functionality, but like Microsoft Word, probably only 10% of the functionality is used by 90% of the users, meaning that there's a degree of bloatware with your software in an attempt to be all things to all people.

A start might be to build more diagnostics/reporting into WHM, that would help to more easily identify which functions/services are no longer in use (or if they are - by which cPanel users). Example: I don't think any of our 200+ hosting accounts use webmail (and associated features) anymore, because they've all moved to G Suite, Office 365, etc. So

1. I need to be able to easily/quickly/authoritatively confirm that none of our users on a server are using Webmail.
2. If this is the case, then I'd like tools that can disable webmail (and associated services) 100% from the server in question. Less is more! Better security (less points of potential weakness), and less complexity.

Hope that helps.

 

[cPanelLauren]

I'm sorry I was under the impression that you had concerns about the features that were being offered, thanks for your input though, it's helpful.

A start might be to build more diagnostics/reporting into WHM, that would help to more easily identify which functions/services are no longer in use (or if they are - by which cPanel users). Example: I don't think any of our 200+ hosting accounts use webmail (and associated features) anymore, because they've all moved to G Suite, Office 365, etc. So

The thing is, with your suggestion, is that's *not* the standard use case - most providers want to be able to offer mail to their users based on requests we receive as well as field surveys/testing. BUT we do give the ability to modify this to suit YOUR needs. You can uninstall the webmail clients on the server completely by going to WHM>>Server Configuration -> Mail -> Enable Horde Webmail, Enable Roundcube mail. With these set to off neither are enabled and webmail would be unusable.

Maybe the issue is more understanding of ALL the features cPanel & WHM has including ways to customize it to be streamlined for your purposes?

 

[spaceman]

IMHO the starting point would be to offer up simple reporting tools within the WHM interface that can confidently identify which services aren't being used (and some usage stats about ones that are).

So yes, a suitably experienced sys admin person would be able to dig around log files, perhaps write some custom scripts to attempt to identify, by one or more methods, which servers are not in active use. And then yes, in the specific example you gave (how to uninstall webmail clients) it looks straightforward, which is good.

But if I could have some reporting around usage stats of various services, that would be great.

 

[cPanelLauren]

But if I could have some reporting around usage stats of various services, that would be great.

We do this but it's kind of spread out between Server Status | cPanel & WHM Documentation System Health | cPanel & WHM Documentation and View Mail Statistics Summary | cPanel & WHM Documentation

I think more so what you're looking for is like an "at-a-glance" kind of reporting? I think also this would be nice to have present in WHM but you might check out Munin for this - it's a plugin we support and offer in WHM>>cPanel>>Manage Plugins.

Munin will give you stats on Apache, Disk Usage, Exim, MySQL, Network, Processes, System information, Time (NTP related stats), and Disk performance.