The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Metrics refuse cPanel PCI Compliance

Discussion in 'Security' started by santrix, Mar 10, 2016.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    After a long battle with Security Metrics I felt I should share my experience. I work with a UK web host, and have been trying to help a client through their compliance testing.

    Security Metrics will no longer allow ANY cPanel server to pass because services like FTP, cPanel, WHM, Webmail are all protected ONLY by the main hostname's SSL certificate and answer on the same IP address as the customer's production domain. Accessing these services via the customer's domain gets an SSL response containing the server's hostname certificate, and not the customer's website domain certificate - Which is, according to Security Metrics, a 100% failure.

    The only people who would legitimately have the cpanel login details are the customer, and they are not about to log into a service when their browser or ftp client complains of a certificate mismatch. They know full well that they should log into the shared cPanel services using the server's main hostname, and not their website domain.

    Security Metrics argue that this provides the environment for MiM attacks. I'm unsure that it does, provided the customer is educated and knows never to continue when a certificate mismatch is found. If they are stupid enough to do that, then they are stupid enough to fall for any attack which can misdirect their DNS to a bogus server (which may, after all, contain a perfectly valid SSL for the customer's domain obtained illicitly).

    So, my view at the moment is that Security Metrics are being unreasonable in their interpretation of the PCI standards. But I digress.

    There is already a feature request here for SNI to be provided on ALL services offered by cPanel servers:

    SSL certificate per domain on all services

    cPanel - please take note...
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Would instructions on how to disable access to cPanel/WHM/Webmail and forcing the use of a single URL for access to those services help as a temporarily workaround until progress is made on the feature request?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    1. have you disputed this with them and provided the alternate acceptable hostname?

    2. If a customer is on their own dedicated IP address, you can close cpanel/whm ports for that IP address with custom CSF/APF syntax, and they can just access those services on the main host IP.
     
  4. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Hi Michael - yes, that would be perfect, but I'm unsure how that could work, because the initial SSL connection has to be made against the customers domains name - so the ssl provider on the server would have to accomplish the rejection?
     
  5. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Disputed until we're blue in the face - but they just dig their heels in deeper. I suppose they have a view that PCI compliance is all there is to security, and that this risk is higher than, oh, say, social engineering.

    Anyway - Option 2 is looking like the only option.
     
Loading...

Share This Page