DanH42

Active Member
Sep 11, 2011
35
0
56
Bloomington, IL
cPanel Access Level
Root Administrator
We keep all our cPanel services on a dedicated IP, and don't allow connections on non-HTTP ports on any of our other IPs. With this redirection in place, bots will hit example.com/cpanel, get redirected to our management IP, and then start brute-forcing. We obviously have brute force protections in place, but the number of brute force attempts we see always dramatically increases whenever these redirects exist.

This is the section of httpd.conf I'm talking about:

Code:
<IfModule alias_module>
    ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
    ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
    ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
    ScriptAliasMatch ^/?webmail$ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?webmail/ /usr/local/cpanel/cgi-sys/wredirect.cgi
    ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi

    Alias /bandwidth /usr/local/bandmin/htdocs/
    Alias /img-sys /usr/local/cpanel/img-sys/
    Alias /java-sys /usr/local/cpanel/java-sys/
    Alias /mailman/archives /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /pipermail /usr/local/cpanel/3rdparty/mailman/archives/public/
    Alias /sys_cpanel /usr/local/cpanel/sys_cpanel/

    ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys/
    ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/
    ScriptAlias /scgi-bin /usr/local/cpanel/cgi-sys/scgiwrap
</IfModule>
This doesn't seem to be something that could be overridden from one of the
pre/post_virtualhost_global.conf includes. In the past, I've been able to run apache_conf_distiller --update and see my changes stick after running /scripts/rebuildhttpdconf. However, time passes, and at some point it ends up back in there again anyway. As of today, the rebuildhttpdconf script puts the redirects back in no matter what I do first.

Where are these original redirects located, and how can I kill them once and for all?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,225
463
Hello,

You can complete the following steps to remove or modify these entries:

1. Copy the Apache 2.4 template for EasyApache 4 to allow for customization:

Code:
cp -a /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local
2. Edit /var/cpanel/templates/apache2_4/ea4_main.local to remove the alias entries:

Code:
vi /var/cpanel/templates/apache2_4/ea4_main.local
3. Save the changes, and then run:

Code:
/scripts/rebuildhttpdconf
Thank you.