Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Securing WHM (and SSH)

Discussion in 'Security' started by jazee, Jul 2, 2017.

  1. jazee

    jazee Well-Known Member

    Jan 12, 2015
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    There's a lot out there about various methods to secure SSH access better.

    But on a Cpanel server, in my opinion, access to WHM gives the user a degree of privileges near that of logging into SSH via root. So I have a few questions for discussion.

    First, let me setup the context for the application of these methods. It's a server that does not have to be HIIPA or FICA compliant. It just has one publicly accessible website running an order management system for employees to access in the office or anywhere they have an Internet connection. There's no financial info, or other sensitive data like Social Security Numbers stored. So the security need on this server I'd describe as "MEDIUM"

    1. Disable WHM Root Login: Last time I checked a few years ago, there wasn't a good/recommended way to not require you to login to WHM as root. That right there seems to me defeats the purpose of a lot of SSH hardening techniques such as disabling password login and using public key authentication. If you can still login to WHM via root - what's the point? Ya you can do more as root via SSH but you sure can do a lot via WHM!

    2. Restrict access to port 2086/2087 to certain IPs. (What is 2086 even there for anyway as I think you can't login to WHM without an SSL connection?) The problem with this is if the admin wants to access the server from networks where they are getting DHCP assigned IP addresses.

    On the SSH side of things, although I pointed out above that if WHM access is through root account password login, then I think the effectiveness of hardening SSH access is extremely diminished.

    What is the best "compromise" for hardening SSH access on a server that is essentially "sacrificial" (meaning if it was hacked there wouldn't be any serious damage to the business other than the time it takes to spin up a new VPS and restore a backup of the Cpanel account) but that you'd like to still reduce the chance for unauthorized access.

    Well in the vast majority of scenarios the breach had nothing to do with system configuration and was simply poor practice on the users part for storing/maintaining their passwords. So one could argue all of this is sort of moot if your user is emailing passwords back and forth, has post it notes with them, or keeps them in a Word or Excel doc on their cloud drive.

    With that said...

    1. Disable SSH root login. The user account though in the wheel that can sudo to root if using password login, is just as vulnerable to getting the password stolen as the root password. Is the two step login then really adding that much security? I guess one could argue why not, it's not causing a lot of headache and in the case root password is compromised and user password is unknown, you're protected.

    2. Move SSH to non-standard port below 1024. Seems to me most scanners will check all ports up to 1024 for SSH or even higher. This would diminish SSH port 22 hack attempts in the log which would be nice but could also cause headaches for any software that needs SSH access and defaults to port 22.

    3. Restrict port 22 to certain IPs. As I previously mentioned, not good for roaming admins. I've done this before and got around it when I was not on a whitelisted IP to use LogMeIn with two-factor authentication to gain access to a PC that was whitelisted. I only did this because the company was already using LogMeIn so no extra cost. Not sure it would be worth it though to just get LogMeIn for this purpose.

    4. Disable password login and use Public Key Authentication. 1) Now you have to maintain the keys, and 2) back to the original issue, what's the point if you can still login to WHM with a password?

    For my current server in question, this is what I'm thinking the strategy might be:

    1) Disable root SSH login and add another cpanel user to the wheel group
    2) Block ports 2086/2087 and whitelist admin's usual IP's. If I need WHM access from non-typical IP, I can SSH in and modify CSF config from command line.

    What I'm struggling with is if I move or block SSH port. I could block it, and whitelist admin IPs. If I need access from untypical IP I can use LogMein to Windows machine running Xenserver to get consol access to modify CSF config to allow IP. (Kind of a pain)

    Or maybe just move it (assuming doesn't break any other applications) to reduce hack attempts and let LFD blacklist attempts by those that discover the new port? Think I'm leaning towards this as opposed to above.
  2. JawadArshad

    JawadArshad Well-Known Member PartnerNOC

    Apr 8, 2008
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider

    A VPN could resolve more than one issues raised.

    For WHM,

    - You could just create a reseller with escalated privileges and skip out any of the super privileges. Then use that reseller user instead (functions for everything like creating/removing users, managing them, creating ACLs, configuring API etc).

    - You could configure a custom VPN and restrict access to the VPN IP so whenever a user is connected to the VPN, they get access. This does away with the problem of adding new IPs to the whitelist every now and then.

    For SSH,

    - Again, use a VPN and restrict IP access to VPN. As added security, you should enable Two factor authentication. A quick search in your favorite search engine should lead to a lot of helpful results. HTH.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice