The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

moving default cpanel / whm locations to avoid directory scanners

Discussion in 'Security' started by MikeLewin, Dec 15, 2011.

  1. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've seen this being posted before, but seems many years ago, so I'm bringing it up again now.

    I have a dedicated server with several clients. On one site logs we noticed that someone had been trying to scan folders, e.g. /phpmyadmin /php-my-admin /mysqladmin etc.

    I don't know if they lucked into /cpanel or /whm or /webmail.

    Anyway, I want to move /cpanel and /whm to other aliases, like /c_panel or /w_h_m

    Anyone who immediately says "can't be done", I find that unacceptable, so save your fingers.

    I have located the first part of the puzzle and changed directive: scriptaliasmatch in cpanel/conf/apache.main

    But I can't find the related section that is resolved to the httpd.conf '# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS' section.

    (the Rewriterule / rewritecond section at the bottom)

    Anyone found where these are generated from?

    TIA

    Mike
     
    #1 MikeLewin, Dec 15, 2011
    Last edited: Dec 15, 2011
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If a user has one setup it may be left unprotected.

    These on the other hand:
    Are protected.

     
  3. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Moving default /cpanel / whm locations to avoid directory scanners

    We will be insisting on our own 'utility' configurations, e.g. we will provide phpmyadmin, but not in a folder called that..

    Of course I understand that /cpanel, etc are password protected, but just knowing they are there can then lead to brute force attacks, or 'known exploit' attacks.

    The problem is that there's nothing to stop a client resetting their cpanel password to 'something they can remember' (e.g. "password1" which I have seen) which could then compromise the whole server.

    I'd sooner just remove the temptation, I think being security conscious is a good trait.

    As I said I just need to know where that bottom rewriterule/cond section is populated from. so that the changes will remain through Apache recompile.

    Thanks

    Mike
     
    #3 MikeLewin, Dec 15, 2011
    Last edited: Dec 15, 2011
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There is also nothing to stop your client from installing his own version of phpMyAdmin.
     
  5. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK, can't see if it's possible to change thread to [SOLVED]..

    ANYWAY, here is how to do what I asked, just in case any future web browsing people need to know:

    everything is contained within httpd.conf, as we know, but this is generated at several times by WHM / cPanel, etc.

    You only need to edit 2 include files

    /var/cpanel/conf/apache/main - contains the top section for httpd.conf
    search for 'directive: scriptaliasmatch' (without quotes)
    change relevant entries, like regex: "^/?cpanel/?$" to say regex: "^/?cpanelpanel/?$"

    next file is /var/cpanel/templates/apache2/main.default

    this contains the bottom section of httpd.conf, look for 'RewriteCond %{HTTP_HOST} ^cpanel\.' and change that (and any others you just changed) to match the previous values.

    then whenever apache is recompiled (adding new accounts/subdomains, etc.) these changes will be carried over.


    DISCLAIMER: I have tried this and it worked for me 12/16/11 on a HostGator dedicated server running centos 5, WHM 11.30.5 and cPanel 11.

    I cannot and will not be held responsible if you do this and screw something up.

    ALWAYS BACK UP YOUR FILES BEFORE CHANGING STUFF!!
     
    #5 MikeLewin, Dec 16, 2011
    Last edited: Dec 16, 2011
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This isn't a matter of "can't be done" - it just doesn't add anything appreciable to your security. True, just my opinion, but I do have some experience. I think your time would be better put into installing a strong set of mod_security rules, installing CSF and ensuring it blocks on mod_security hits, phpsuexec or family, and locking down wget and cc, as well as changing the ssh port.

    You could add mod_security rules for the phpmyadmin scanners listing what they are trying and CSF would firewall them off in fairly short order.

    CSF also catches and firewall blocks brute force attacks.
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    There are a few issues with how this was done.

    First of all, you wouldn't want to edit /var/cpanel/conf/apache/main directly. Instead, you can modify or change the ScriptAliasMatch lines in /usr/local/apache/conf/httpd.conf file, distill those changes, rebuild Apache and restart it. That will actually modify /var/cpanel/conf/apache/main file by distilling the changes. The top portion of httpd.conf is the only one you can modify and distill without needing to use an include or template file to do so. The steps to distill, rebuild and restart are the following:

    Code:
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak111218
    /usr/local/cpanel/bin/apache_conf_distiller --update
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
    Next, if you modify /var/cpanel/templates/apache2/main.default file, that file will be overwritten on forced cPanel updates. The file instead needs to be copied to /var/cpanel/templates/apache2/main.local and revised in the .local copy instead. This is discussed in our documentation:

    http://docs.cpanel.net/twiki/bin/vief/EasyApache3/InsideVHost#Custom templates that will apply

    You may wish to review this other thread where I discussed changing the ScriptAliasMatch locations:

    http://forums.cpanel.net/f5/ask-rename-cpanel-whm-become-newname-226501.html#post933932
     
  8. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Re: Moving default /cpanel / whm locations to avoid directory scanners

    Mike, I think you're approaching this the wrong way.

    Using something like cPanel, Webmail, phpMyAdmin - in fact anything web related is open to attacks someway or another. If you move phpMyAdmin, cPanel, etc to another alias then sooner or later one of your clients will accidentally and unintentionally leak out your secrets. Chances are you'll get hacked through an insecure website script running on Joomla, Wordpress, vBulletin, OS-Commerce, etc long before actually being hacked through the cPanel interface.

    Install something like CSF which can automatically block any IP address which brute force attempts any services on your server.

    Which, if any at all, "known exploits" are you actually referring to?


    Change your password strength in WHM to sometimes like 65 or 70, or if you really want to be paranoid, 100. Your clients might then simply write down the passwords on stickers stuck to their monitors since using such passwords is humanly impossible to ever remember, but at least you won't be brute forced.

    tight security is a good thing, but will lead to higher end-user frustration and higher support tickets / calls as well - just keep that in mind.



    AFAIK, even if you do change the aliases in httpd.conf and other files, it would be overwritten on the next cPanel update. So chattr + i the files after you made the changes :)
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you distill the changes as I mentioned for the ScriptAliasMatch portion in httpd.conf file, it will not be overwritten on the next cPanel or EasyApache update. What happens when you run the distiller would be that the /var/cpanel/conf/apache/main file is updated, which is used to build future httpd.conf files for the sections outside the VirtualHost area.

    The distiller command is the following:

    Code:
    /usr/local/cpanel/bin/apache_conf_distiller --update
    Please note that you can always see what happens by performing the change after backing up httpd.conf before posting onto the forum. It does not overwrite the changes if they are distilled, which is why I posted doing it the way I did on the prior thread. Again, you can edit these lines in httpd.conf:

    Code:
    ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
    ScriptAliasMatch ^/?webmail/?$ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi
    I changed to these lines:

    Code:
    ScriptAliasMatch ^/?bart/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?mymail/?$ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?lisa/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi
    I distilled, rebuilt Apache (/scripts/rebuildhttpdconf) and restarted it (/etc/init.d/httpd restart). I then ran a cPanel update (/scripts/upcp --force) along with an EasyApache update (/scripts/easyapache --force). The lines remained. The only way those changes will not be used would be if you change /var/cpanel/templates/apache2/main.default to use main.local, which then loads the main.local file instead and will override the distiller changes that are written to /var/cpanel/conf/apache/main file.

    Finally, please do not recommend using chattr +i for any file that cPanel uses, especially such an important file as httpd.conf as this will prevent any new domains from being added and will prevent EasyApache from updating.
     
  10. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi All, sorry, it's been a busy year change.

    Lots of comments, thanks for suggestions all, especially about the distiller, which I could not find mention of until I posted my workaround. Q. Does that re-distill ANY changes made to the httpd.conf or only the scriptaliasmatch part?

    The scriptaliasmatch changes were not a problem (they were easy to find) what I was having issues with were the rewritecond at the bottom of httpd.conf.

    @all - Just for the record, our server is not a 'worldly accessible' server, where any joe can just go and create an account and upload any crap. This is a dedicated server on which people we approve will be placed. However, they will still need to be monitored in case one of them tries to do silly stuff like install phpmyadmin or something else in default config, not knowing enough about security to 'lock it down'.

    @Brianoz, csf and cphulk, etc are already running (in fact I've already blocked whole countries after seeing the brute force logs..) My only (probably paranoid) concerns have been with people who know enough about particular software/configs to cause issues.

    @softdux - I mean exploits for especially open source stuff. like if someone installs Joomla v.7.3.2.554362, and a hacker knows there's an exploit/security hole somewhere they can use to inject or gain access or upload malicious files.

    Hope everyone had a great Holidays and new year!
     
  11. Brian

    Brian Well-Known Member

    Joined:
    Dec 1, 2010
    Messages:
    117
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Keep in mind this is all for naught when the malicious user can simply ignore your redirects and access cPanel/WHM/Webmail directly via the port:

    Example:
    Code:
    https://123.123.123.123:2083
    https://123.123.123.123:2083/3rdparty/phpMyAdmin/
    https://domain.tld:2083
    https://domain.tld:2083/3rdparty/phpMyAdmin/
    etc.
    I guess I fall in with the rest of the crowd in misunderstanding how this provides any sort of beneficial result. At best it seems like security through obscurity, of which I'm never a fan about relying upon. But, the redirect in reality has no effect given that direct access to those ports is always available (which are hard coded into cpsrvd's binary and cannot be modified).

    I mean, I guess you could block those ports and *force* people to proxy in through obscured and customized proxy domains, but I do not see the benefit. Blocking those ports would also break a lot of other things like...
    • WHM's Copy Account
    • DNS Clustering
    and other features which require the ability to speak to other servers on those ports. You'd have to custom open those ports to specific IPs and go through a whole lot of effort for what is effectively zero gained security.

    This all circles back to Infopro's original statements, though, that everything of importance is tucked away beyond authentication mechanisms. I would not advise taking any of these actions with a cPanel/WHM server as this sets it up for more potential harm and problems in my opinion.

    In regards to your inquiry:

    No, the distiller will not distill any possible change to httpd.conf. It only distills very particular sections of the conf file. These are essentially noted in the distill configuration you were directly editing (/var/cpanel/conf/apache/main). If the setting or similar setting is in there, it's likely our distiller will pick it up and understand your change. If you're looking to edit other aspects of httpd.conf, please refer to:

    Changes Contained within a VirtualHost Directive
    Custom Directives outside of a VirtualHost Tag

    for respective information regarding those changes.
     
  12. MikeLewin

    MikeLewin Member

    Joined:
    Dec 1, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    LOL, yes they can. but those were also moved :) All this was was an exercise in caution.

    I know there's always another way a bad person can do something, but that doesn't mean leave your front door open because if you lock it a burglar will probably just get in through the kitchen window.. I'd sooner lock all doors and windows, and padlock the roof and put a grate on the drains.. and get a big dog.. no 2 big dogs.. lol

    Over the years we've seen a few clients and prospective clients fall victim to exploits, resulting in viruses, pfishing pages and SQL injections. Just putting what we learned through those experiences to use.
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I have to disagree about the port portion as you can change the port for cPanel (not for WHM) by using the directions I noted in this thread that I previously linked:

    http://forums.cpanel.net/f5/ask-rename-cpanel-whm-become-newname-226501.html#post933932

    Here is my quote from that thread:

    Now, anyone with a port scanner can determine the port, but a lot of automated attack scripts will go for the known ports, so you do offset some of the attacks you might get.
     
Loading...

Share This Page