The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing cPanel/WHM using URL parameters

Discussion in 'Security' started by SuperSajuuk, Aug 17, 2016.

  1. SuperSajuuk

    SuperSajuuk Member

    Joined:
    Apr 10, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi there.

    I'm looking to do some security on my VPS and am wondering if it is possible to make cPanel and WHM reject any requests to load the login page if a specific url parameter is not specified (something like ?valid_request=1&referrer=thespecifiedreferred). Is this something I can do with cPanel or would I need to do that at the VPS level?

    I ask about this because I'm getting the odd email from cPHulk Daemon where people are randomly brute forcing my cPanel (luckily not my WHM link), but I would definitely like to see if I can secure both portals with URL parameters (that obviously aren't known to the outside world), and a randomly generated session code if the parameters are given).

    Thanks!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. SuperSajuuk

    SuperSajuuk Member

    Joined:
    Apr 10, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi @Infopro

    I'm already making use of 2FA for the WHM account, but my main cPanel account is also accessed by another user (that I trust) so I cannot use 2FA on that account. Therefore, I'd like to be able to add URL parameters to prevent people just "guessing" the cPanel link and trying to brute force the account.

    Thanks.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm not aware of any URL parameters to use for this purpose.
     
  5. SuperSajuuk

    SuperSajuuk Member

    Joined:
    Apr 10, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    @Infopro My intention was to write some script that would be loaded first before the cPanel login with my own URL parameters that would be required. When I specified any parameters, the cPanel login broke, so my script would also need to have compatibility with the login form that cPanel uses.

    That way, people won't be able to reach the cPanel or WHM login pages at all to attempt brute forcing the accounts unless they've got a valid link to the page.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. SuperSajuuk

    SuperSajuuk Member

    Joined:
    Apr 10, 2016
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    @cPanelMichael Thanks for the link for the API.. Host Access Control is impossible, I am on a residential broadband package with an IP that changes on every "disconnection", so HAC would just get me locked out of the panel when the IP changes.
     
Loading...

Share This Page