Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Secure Private information

Discussion in 'Security' started by coursevector, Apr 17, 2019.

  1. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I have a cPanel server where the main disk is unencrypted. I've attached an encrypted disk to the server to store all customer private information. My plan was to mount the disk as /home and then symlink all necessary folders to that /home partition.

    - Mount the new drive as /home
    - Symlink /var/lib/mysql to /home/mysql (configure MariaDB ProtectHome=false)
    - Symlink /var/log to /home/log
    - Symlink /usr/local/apache/domlogs/ to /home/local/apache/domlogs/
    - Symlink /usr/local/apache/logs/ to /home/local/apache/logs/
    - Set backups to /home/backup

    Would this work? Am I missing anything? Anything wrong with this plan?
    The goal is to have all customer information (logs, files, database) all stored physically on the encrypted drive and not the unencrypted drive.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @coursevector,

    Can you share more information about how the additional disk is encrypted?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    It is an attached EBS disk on an AWS EC2. So it's hardware encrypted at rest.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @coursevector,

    It's my understanding that as long as the disk is attached to the server as a block device, then the OS and by extension cPanel & WHM, should treat it as a normal storage device.

    That said, creating symbolic links the way you described in your first post isn't recommended or tested. Have you considered setting up a new cPanel & WHM instance using EBS elusively and then transferring the accounts on the existing instance to the new one?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I would if it was a normal EC2. But unfortunately this is running on a Lightsail instance where the root disk is unencrypted by default but attached disks are encrypted by default. Which means in order to have the data secured, I need to move as much as I can to the secondary disk.
    I do understand that if I mount the disk to /home2 (or something to that effect), it would take advantage of it automatically. I could even default it to use /home2. But my concern is then tat that point that the database, logs, (anything else?) that is not stored in the /home directory would be unencrypted. Do you have a better way to handle it?
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @coursevector,

    While unsupported and untested, setting up a bind mount to point directories such as /var/lib/mysql/ to the desired /new-storage/ location is one option to consider. I recommend setting up a temporary instance that duplicates your current environment, attaching EBS storage to the duplicated instance, and then add the bind mounts to verify everything works as intended before applying the same changes to your production server. Here's a link to a post that links to an example of how to setup a bind mount:

    Change MariaDB tmp folder?

    Let me know if you have any questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Do you know all the locations that a user's information may be stored in cPanel? As mentioned in my first post, I know the user databases are stored in the /var/lib/mysql/ folder. The user files are stored in /home/username/ , but is that it? Email is stored in /home/username/ as well correct? That would just leave what, logs? Am I missing anything?
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @coursevector,

    While it's not directly related to your question, the third step on the following document include a list of paths where common cPanel account data is stored:

    How to Manually Migrate Accounts to cPanel from Unsupported Control Panels - cPanel Knowledge Base - cPanel Documentation

    However, there are additional locations where account-specific data is stored outside the account's home directory. For example:

    /var/named/ - includes the domain's DNS zones;
    /var/cpanel/userdata/username/ - includes the account's cPanel/Apache configuration data.

    You can backup an account using Pkgacct and then manually extract the archive to see which files/directories the account data is pulled from.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    @cPanelMichael ,
    Thanks for the insight, that's helpful to know. I think i can work with this.
     
    cPanelMichael likes this.
  10. coursevector

    coursevector Well-Known Member

    Joined:
    Feb 23, 2015
    Messages:
    75
    Likes Received:
    5
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    @cPanelMichael
    I do have one more question. You suggested to to package and account and "see which files/directories the account data is pulled from". But I can't tell where these files come from based on the backup itself. While the link you sent is helpful, it lists about 10 paths, but a backup has about 50 folders. So I feel like it's not a 1:1 match up. Do you have any documentation that maps a backup file in more detail?
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @coursevector,

    cPanel & WHM isn't currently designed with the intent to isolate account-specific data to specific parts of the filesystem. Thus, we don't have a document that provides a list of every location on the filesystem where account-specific can potentially exist, and existing paths could change in the future as new features are added. A feature request for the ability to isolate account-level data to specific parts of the filesystem is likely the best approach here:

    Submit A Feature Request

    In the meantime, the paths you noted earlier in this thread look to encompass the traditional account-specific data paths. The one addition I can think of is the /var/spool/ directory. While emails are stored in the account's /home/username/mail/ directory upon successful delivery, account-specific email data could exist in the Exim queue (e.g. in the corresponding sub-directory under /var/spool/) if a message is rejected or held. Additionally, a user's cron job syntax is stored in the /var/spool/cron/ directory.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice