The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Protections in addition to CP Hulk

Discussion in 'Security' started by lossless, Apr 15, 2015.

  1. lossless

    lossless Member

    Joined:
    Apr 14, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    Hello! I've searched on the forum and not found much about this - apologies if it has been discussed elsewhere. I hope to someday soon be a contributor rather than just a "requester," but as someone just starting out, that might take a little while.

    Two questions...

    We are getting a fair amount of attempted hacks and I'd like to make sure we're protected as well as we can be. There are only 3 people who need access to our server with the exception of occasional freelancers. We've enabled CP Hulk and are manually blacklisting every IP with more than 10 denied attempts per day.

    We have whitelisted the 6-10 IP's that that need access to the innards of our server.

    1) Is there a firewall we should be using besides CP Hulk? I was hoping to have CP Hulk permanently ban the IP of all attempted hackers via the option to automagically blacklist them, but can't - because - The system disabled firewall options. These options require IPTables v1.4 or higher and a non-Virtuozzo environment.
    2) What exactly does blacklisting prevent? I.e. If I blacklist entire regions of the world, will people in those regions that aren't hackers still be able to email us and visit our website - or are they blocked from every sort of communication?

    Thank you for your advice and help!
     
  2. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    1) A firewall such as csf would be helpful, but it looks like you are not set up to run iptables.

    2) blacklisted IP addresses are completely blocked.

    That they are 'attempted' hacks means you are catching some of them. I would start by disabling WHM for users, unless you have resellers. You can do this by only allowing your IPs to access whostmgrd under Host Access Control.

    https://documentation.cpanel.net/display/ALD/Host+Access+Control

    We also lock down root access using PAM's /etc/security/access.conf file. We only allow root login from our IP address.

    Hope that helps.
     
  3. lossless

    lossless Member

    Joined:
    Apr 14, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    Thank you George!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, as mentioned, the "Host Access Control" option is a good idea if you have a specific set of IP addresses that you want to allow access to. The option allows you to allow those IP addresses and block all others for specific services.

    Thank you.
     
  5. lossless

    lossless Member

    Joined:
    Apr 14, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    OK, set Host Access Control to just allow 4 IP addresses. So now at least we're not seeing anyone trying to get in with root access. Small success - thanks!

    Please bear with me on two+ follow up questions... we're still seeing about 25+ attempts per day - but now they are all on pure-ftpd, exim, cpaneld and pop3. Any suggestions besides CP Hulk? Would it make sense to whitelist our 4 ip addresses and then deny access to cpanel, ftp etc. for all other IP's in the host manager? Is there anything in there that would cause problems if I "deny" access to everything but these IP's? I assume if we denied all IP's, I'd have to whitelist our emailer provider's (Gmail) IP?

    Last, it seems we have courier, so CPHulk may not work vs. on Dovecot? Short of switching servers (which I'm becoming inclined to do), do you have any other suggestions?

    Thanks again for all your advice.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    1. I suggest enabling it for FTP, cPanel, POP3, IMAP, but not for Exim (it's not even an option). Note that to control access to the ftpd daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.

    2. To control access to the POP3 or IMAP services, you may use either the Courier or Dovecot mail servers. However, I suggest using Dovecot, as it's what's installed by default and it's recommended for use with cPanel over Courier.

    Thank you.
     
  7. lossless

    lossless Member

    Joined:
    Apr 14, 2015
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    usa
    cPanel Access Level:
    Root Administrator
    Done! Last question (at least for now)... do I need to whitelist gmail and hotmail servers to have POP access via gmail and hotmail? Am wondering if I set POP3 to "deny all" whether it will deny access from those IP's.
    Thanks again!!!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, you should whitelist any IP address that you want to access POP3 or IMAP. Note that if you plan to use Google or Hotmail to access your server with POP3 or IMAP, then you will need to whitelist a broad range of IP addresses that they use to connect with.

    Thank you.
     
Loading...

Share This Page