How to tell which services aren't in active use, and can be safely blocked using Host Access Control?

[spaceman]

Hi All,

I've just become aware of Host Access Control

Host Access Control | cPanel & WHM Documentation

Use this interface to allow or deny (block) access to services for specific IP addresses.

docs.cpanel.net

The documentation says:

-------------------------------------------------
Use this interface to allow or deny (block) access to the following services for specific IP addresses:

• cPanel (cpaneld)
• WHM (whostmgrd)
• Webmail (webmaild)
• Web Disk (cpdavd)
• FTP (ftpd)
• SSH (sshd)
• SMTP (smtp)
• POP3 (pop3)
• IMAP (imap)

-------------------------------------------------

One of the first principles of good security is "less is more", right? The less services that are running/accessible, the less potential vulnerabilities there are to exploit.

But sys admins don't want to go around, deny access to services, if those services are in active use.

The non-customer-centric way to work this out is to deny access to a server, see if any customers complain, and consider un-denying access if you have to (e.g. if the customer can't use an alternative service instead).

So the customer-centric way is to work which method is best, per service (webmail, web disk, etc.) to confidently detect which is in (legitimate) active use, and which is not.

So my question to this forum is: what's the best, most authoritative method of detecting which of the above services are in active use (and which accounts are using them), per WHM server?

Reviewing log files, presumably? Specific search strings of specific log files for specific services?

Thanks in anticipation,

Ross

 

[cPanelLauren]

Hello,

I understand the end goal here but I feel the need to clarify, host access control, controls access to services. These services listed are pretty basic Webhosting services. That being said as a system administrator or provider the better way to go about this is to determine which services you want to offer to your clients.

• WHM: (whostmgr): Most providers restrict access to IPs authorized to access WHM and deny all others
• cPanel (cpaneld): If you have a lot of accounts it doesn't make sense to restrict this - your users would need to access and unless you have all of their static IP addresses (i.e., none of them have dynamic IP's or manage their cPanel account from other IP's) they wouldn't be able to access this to manage their accounts.
• WebDisk (cpdavd): This service encompasses more than just webdisk, cpdavd also manages contacts and calendars - this is a service most customers want/need with their webmail
• FTP (ftpd): This is FTP - if you want your users to be able to use FTP and you don't have the specific IP's they'll be accessing it you'll want to leave this alone
• SSH (sshd): Do you provide shell access to your users? If not you can restrict this to just administrative IP's that you want to be able to access the server through the command line
• SMTP (smtp): This is your SMTP mail server. In most cases you do not want to restrict this.
• POP3 (pop3): This is the pop3 mail protocol most users set their clients up using IMAP but you may not want to restrict this to allow them the option to use POP3 instead
• IMAP (imap): The most popular mail protocol and if you disable this most mail functions on the server for your users will not be able to function properly.

You can also read the documentation here which may be helpful: Host Access Control | cPanel & WHM Documentation

 

[spaceman]

Thanks for that reply Lauren, and for clarifying/reminding the core functionality that can be affected by changes to host access control functionality in WHM.

Host access control functionality aside, yes, the underlying request here is for cPanel/WHM to think harder about who best to provide more options to shut down non-essential and/or non-used services on a server.

cPanel/WHM is great for general purpose website hosting requirements. It's got all the bells and whistles, and then some. BUT IMHO it faces an ever-growing threat from specialist/niche hosting services that, for example, claim to be 'optimised' for hosting WordPress sites, or Drupal sites, etc.

I've been hosting websites on cPanel/WHM for 20 years (!). But it's becoming increasingly hard for me to ignore these specialist hosting services (WP Engine, Flywheel, etc.) because of their optimised nature, which in theory should translate into better security, less complexity, happier clients and better ROI for our company.

I recognise that cPanel/WHM can't be all things to all people. BUT I recommend that you could go a long way towards reducing the competitive threat by offering up quick easy ways to customise/optimise cPanel/WHM for named applications.

 

[cPanelLauren]

@spaceman

I"m curious what you feel would improve cPanel for you users exactly? Beyond optimizing for a CMS such as WordPress.

Keep in mind as well that hosting services aren't what cPanel & WHM do, we don't provide hosting, rather we provide the platform to do so, which quite a few of these providers use.

 

[spaceman]

"what you feel would improve cPanel for you users exactly? "

That's a huge question!

A complete answer would require a head-to-toe review of all major and minor features of cPanel & WHM.

So sorry I can't be more specific, except to point you back to my original post, which is to observe that your software delivers a wide array of features and functionality, but like Microsoft Word, probably only 10% of the functionality is used by 90% of the users, meaning that there's a degree of bloatware with your software in an attempt to be all things to all people.

A start might be to build more diagnostics/reporting into WHM, that would help to more easily identify which functions/services are no longer in use (or if they are - by which cPanel users). Example: I don't think any of our 200+ hosting accounts use webmail (and associated features) anymore, because they've all moved to G Suite, Office 365, etc. So

1. I need to be able to easily/quickly/authoritatively confirm that none of our users on a server are using Webmail.
2. If this is the case, then I'd like tools that can disable webmail (and associated services) 100% from the server in question. Less is more! Better security (less points of potential weakness), and less complexity.

Hope that helps.