The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing Unauthorized Account Transfers

Discussion in 'General Discussion' started by Argious, Jan 8, 2005.

  1. Argious

    Argious Member

    Joined:
    Nov 24, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    California, USA
    Hello,
    I was wondering if there is a way to prevent unauthorized account transfers off of your server. That is, is there a way to stop other servers from using cpanel's single-account transfer to transfer accounts from your server without your express permission?

    Do the account transfer feature run on a specific/single port or can they be blocked/turned off somehow?

    Thanks in advance!
     
  2. HP-Kevin

    HP-Kevin Registered

    Joined:
    Dec 19, 2003
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    planning on holding customers ransom?
     
  3. Argious

    Argious Member

    Joined:
    Nov 24, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    California, USA
    *grins* If that were the case, then I would have just altered their passwords or locked them.

    Really though, I would just like to know if it's possible so that I can just disable it for one of the fully-dedicated servers I have since I will have no use for the feature (there is only one account on that server). It's just an extra security layer request--not necessary I suppose, but I am none-the-less asking whether or not there is a way to do it without having to tear at the coding.
     
  4. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    I have an idea...

    May I suggest you something?..

    For a first - till client has an access to its account via FTP - he may move its web files - no matter how you will try - hope you understand :)

    However if do like to prevent unautorized cPanel -> cPanel transfers I have an idea.

    cPanel uses /scripts/pkgacct to package account before move. You may do move it outside and creat dummy file with chattr +i on it.

    Make sure you create /scripts/postupcp in which you create something like this:

    Code:
    #!/bin/sh
    mv /scripts/pkgacct /scripts/pkgacct.bak;
    touch /scripts/pkgacct;
    chattr +i /scripts/pkgacct;
    
    This way cPanel updates (/scripts/upcp) will not recreate the file.

    WARNING: there are some scripts that do use /scripts/pkgacct (like /scripts/cpbackup & /scripts/cpaneldownload.cgi and etc.) - you will broke their functionality till you change them to point to /scripts/pkgacct.bak

    Pay attention to some scripts that needn't to get modified :)
    (I mean cpaneldownload.cgi, cpaneldownacct.cgi and probably other - as they do allow client to create full backup...)
     
  5. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    I don't think moving/disabling your /scripts/pkgacct script (on your server) will stop the transfers (cpanel > cpanel)

    The server that is copying from your server, uploads its own /scripts/pkgacct script to the users /home/$user directory, then the cpaneldownload.cgi is uploaded and called via http - this executes the uploaded pkgacct script. Your servers script doesn't appear to be used.

    I guess you could just disable calls to cpaneldownload.cgi ect using mod_security or rewrite rules, that should work.
     
    #5 DigitalN, Jan 15, 2005
    Last edited: Jan 15, 2005
  6. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    > I guess you could just disable calls to cpaneldownload.cgi ect using mod_security or rewrite rules, that should work.

    It is not enough. Because user may generate its own backup (if his quota < 50% ).

    But if combine both methods it should helps, with one no-no (below)... :)

    (Btw, if mod_security affect cPanel/WHM in any way?! With Apache stopped WHM is still responding and works as usual... However placing root owned, chmoded to 000 /home/$user/cpaneldownload.cgi may helps much better... put it into skel directory and all new users will have this file...)
     
  7. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    The cpanel download.cgi (and other scripts) are uploaded to a directory that is created by the other server doing the copies - /home/$user/public_html/cgi-bin/cpdownload/cpaneldownload.cgi

    Its then called via http

    GET $host/cgi-bin/cpdownload/cpaneldownload.cgi?$user&$password

    This executes /home/$user/pkgacct which creates the archives etc.

    You could I suppose create a directory /home/$user/public_html/cgi-bin/cpdownload and chown it root:root chmod 000 so the user can't delete it and can't write to it.
    I'd just prevent access to the directory using mod_security or mod_rewrite rules.. but that's me. I wouldn't want to disable backups completely for the users.

    The question in hand was how to disable the remote cpanel transfers, probably done by other hosting companies or server owners for users with little skill or knowledge.

    Really you can't prevent the users downloading their files as has been mentioned, so it may just be better to let them have access to backups but prevent the automated cpanel transfers. :)
     
  8. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    > Really you can't prevent the users downloading their files as has been mentioned, so it may just be better to let them have access to backups but prevent the automated cpanel transfers.

    Agree! :)
    I guess Argious got enough information to consider how to proceed.

    P.S. I never though of disabling cpanel -> cpanel transfers, so I was not aware of the fact Apache is used to execute script...
     
  9. Argious

    Argious Member

    Joined:
    Nov 24, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    California, USA
    Thanks for the input everyone, much appreciated. :)
     
Loading...
Similar Threads - Preventing Unauthorized Account
  1. dynaweb
    Replies:
    2
    Views:
    392

Share This Page