The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restrict Root Login

Discussion in 'Security' started by ruyrocha, Aug 30, 2011.

  1. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    Hello,

    I'd like to share the module which restricts root login to valid and allowed remote addresses. It's not the same as Host Access Control and was written using the Security Policy framework and is valid only for root account and WHM.

    Let me show you TNT. Root password for this server is 3Y6Nn5CW44bY0F?5F}gHoWDy:KFzAGtp Try to access it: /https://tnt.ruyrocha.com:2087/login/?user=root&pass=3Y6Nn5CW44bY0F?5F}gHoWDy:KFzAGtp"

    You'll fail due to module's restriction. If you want to try the module please access /http://ruyrocha.com/cpanel-restrict-root-login/

    Regards,
    Ruy Rocha
     
  2. Gili-H

    Gili-H Member

    Joined:
    Aug 24, 2011
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Twitter:
    How do you login, IP restriction?
     
  3. zombo

    zombo Active Member

    Joined:
    Jan 28, 2004
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Austria
    I love you wrote this in good old Perl ...

    - What is the advantage over using WHM/Main >> Security Center >> Host Access Control

    - apart of that, what's the priority value intended for?
     
  4. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    Sure! IP restriction only for root and WHM app.
     
  5. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    The priority is internal for Security Policies (need to re-check).

    If you have a dedicated server you can use Host Access Control and allow you address to login. But when you have a shared server? You'll need to whitelist every reseller's ip address and it's not useful. Even if your root password is "compromised" you are safe by restricting root logins only to allowed ip addresses.
     
  6. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Hey,

    This is exactly what we are looking for! We are surprised this essential security feature is not included in cPanel even as of now. FYI, Plesk already has this feature to restrict IP based on root/whm access.

    Can you advise how can we implement this module which you created?
     
  7. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    It is really great tool. I hope cPanel team is viewing this post :)
     
  8. Jay M

    Jay M Active Member
    PartnerNOC

    Joined:
    Oct 10, 2011
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    .... deleted post
     
  9. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Can you advise how can we implement this module which you created?
     
  10. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Hello,

    I have written an ugly patch for command line root access. Read further here..

    /http://techsware.in/index.php/2012/01/limit-root-access-per-ip-limited-ssh-root-access-limited-root-access/

    Thank you,
    Nibin.
     
  11. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    Save the code as module - ie: /usr/local/cpanel/Cpanel/SecurityPolicy/RestrictRoot.pm - and enable it on WHM. Let me know if you have further questions.
     
  12. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Where is the code to share?

    Btw this won't be a feature on cPanel list right?
     
  13. SeanP

    SeanP Registered
    PartnerNOC

    Joined:
    Jan 14, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    This module no longer functions under WHM 11.32. Does not show up in the list in Security Center, so can't be enabled.
     
  14. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    Hi, I'll check into this, so please hold on a few.
     
  15. ruyrocha

    ruyrocha Member

    Joined:
    Oct 12, 2010
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil
    Hello,

    Here is the updated version:

    Code:
    package Cpanel::Security::Policy::RootRestrict;
    
    # cpanel - Cpanel/Security/Policy/RootRestrict.pm
    #
    # Copyright (c) 2011-2012 Ruy Rocha <admin@ruyrocha.com>
    #
    # Permission is hereby granted, free of charge, to any person obtaining a copy of
    # this software and associated documentation files (the "Software"), to deal in the
    # Software without restriction, including without limitation the rights to use, copy,
    # modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
    # and to permit persons to whom the Software is furnished to do so, subject to the
    # following conditions:
    #
    # The above copyright notice and this permission notice shall be included in all copies
    # or substantial portions of the Software.
    #
    # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
    # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
    # PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
    # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
    # TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
    # USE OR OTHER DEALINGS IN THE SOFTWARE.
    #
    
    use base 'Cpanel::SecurityPolicy::Base';
    
    sub new {
      my ($class) = @_;
    
      # Compiler does not necessarily properly load the base class.
      unless ( exists $INC{'Cpanel/SecurityPolicy/Base.pm'} ) {
        eval 'require Cpanel::SecurityPolicy::Base;';
      }
      return Cpanel::SecurityPolicy::Base->init( __PACKAGE__, 20 );
    }
    
    sub fails {
      my ( $self , $sec_ctxt, $cpconf ) = @_;
    
      if ( $sec_ctxt->{'appname'} eq 'whostmgrd' && $sec_ctxt->{'user'} eq 'root' ) {
        return _ip_passes($sec_ctxt->{'remoteip'});
      }
    
      return 0;
    }
    
    # Return true if this address is valid, false otherwise.
    sub _ip_passes {
      my $remote_ip = shift;
    
      my @allowed_ips = ('x.x.x.x');
    
      if ( !$remote_ip ) {
        Carp::confess("I am missing the users remote ip.  Security Policy requires exec termination.");
      }
    
      return 1 if !grep(/$remote_ip$/, @allowed_ips);
    
      return 0;
    }
    
    1;
    
    Put this code in /usr/local/cpanel/Cpanel/Security/Policy/RootRestrict.pm and re-enable the module on WHM under Security Center > Configure Security Policies.

    Regards,
    Ruy Rocha
     
  16. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi -

    My ISP thoughtfully changed my IP w/o my noticing. I changed the ip to reflect in the script, but am now getting:


    Security Policy Handling Failed

    Please attempt to log in again.

    If this problem persists, please contact the system admin.


    When I try to log in - any recommendations, or a way to disable this script altogether temporarily?
     
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you try re-saving the WHM > Configure Security Policies area if you are able to access it?

    If you are not, where precisely did you save the IP?
     
  18. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am unable to access it now. :( I saved the IP In the file:

    /usr/local/cpanel/Cpanel/Security/Policy/RootRestrict.pm

    What file would I need (from the command line or FTP) to change to disable this so I can log in now? That will do until I am able to retry this later.
     
  19. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    That file is a perl module file, so it wouldn't be used to whitelist an IP.

    As for the option, it's in /var/cpanel/cpanel.config file:

    Code:
    SecurityPolicy::SourceIPCheck=1
    Change that to a 0 and then save the file. At that point, issue this command:

    Code:
    /usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings
     
  20. medfordite

    medfordite Member

    Joined:
    Dec 13, 2011
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you! That worked!!!!!
     
Loading...

Share This Page