The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is DNSONLY a gigiantic gaping security risk?

Discussion in 'Bind / DNS / Nameserver Issues' started by wizzy420, Mar 18, 2009.

  1. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Okay so here's the question.

    DNSONLY requires one setup access keys between the servers.

    So suppose someone hacks one of your servers. At this point, wouldn't they then be able with the access key to one of the DNSONLY servers be able to access it, grab the keys to all the other servers, and pretty much instantly have full root access to every server on your network?

    W
     
  2. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Technically... well... they would/could have access to the WHM API, yeah, I suppose. Since that Access Hash is used to authenticate. It's plausible.

    I guess you have to make the DNS boxes tight. ;) Technically, if you keep their kernels up to date you shouldn't have too many issues. They aren't - shouldn't - be running web sites. So that limits attackers' points of entry.

    You should be dropping all useless services. Locking down SSH to key access only and "PermitRootLogin no". Change the port to something ambiguous, port 2 or something.

    It won't give people ROOT if they get the Access Hash, but, getting root after they get the Access Hash could prove simple. ;)

    Warmest Regards,
     
  3. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Well, basic security is one of those of course things. I do appreciate your response.

    But there are things like day zero holes, mistakes, etc.

    Wouldn't it make a lot more sense for DNS interactions to occur using a separate privilege level which isn't root?

    This just seems to be to be a horrible way to do things. Give every box root access to every other box.
     
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Yeah, I suppose cPanel could do that. I'm sure it's on a to-do list. ;) Something like privilege elevation over Access Hashs has probably been discussed by their dev team.

    I know how 0-day holes can be problems.

    cPanel has flaws, as do most software, however, I think they do a good job in minimizing them. The best example is Microsoft products... they have holes... they get exploited... it happens. :)

    Stay on top of security/software you run, install the proper software to monitor and keep a hold on things. It's really all you can do.

    The best thing to do is do the best you can do.

    Regards,
     
  5. wizzy420

    wizzy420 Well-Known Member

    Joined:
    Nov 13, 2007
    Messages:
    125
    Likes Received:
    2
    Trophy Points:
    18
    Your website brings up a blank white screen.

    Steve
     
Loading...

Share This Page