Seeing all passwords in cPanel & WHM

[antonitus]

Hi,

Please, please, please developers, when we set up website packages, databases, ftp's, emails, etc., to allow us to retain all these passwords in the control panel.
What I mean by this is to be able to see the passwords in the control panel under their relevant sections. Heart Internet, for example have this in place and it was so easy to maintain. It won't be much of a security issue as only the administrators have access to the admin control panel. Also, website owners could benefit from this when they set up email mailboxes for example. How on earth would they be able to see mailbox passwords if they forgot or lost it. It's too much hassle to create new passwords again as some companies have more than one mailbox set up on various computers. It would be a major headache to re-create the passwords again, not to say disruption of business.

I'm so surprised this is not in place as it is such an important feature to have available. Shocked really.

I hope the developers can add this very soon. Much appreciated.

Thanks,
antonitus

 

[rpvw]

I am sorry to have to disagree with this. Substituting convenience for security is what causes most infosec breaches.

cPanel already has more than adequate facilities for users and admins to change or reset passwords without resorting to on-server plain text password records that have a great big bulls-eye on them and a flashing neon sign advertising HACK ME .

Businesses that are inept enough to have not made adequate records of their passwords (for any of their services) generally learn very quickly to do so when they see the disruption it can cause.

On the other hand, a huge percentage of businesses that have had all their passwords hacked (and by extension, revealed all their client and protected data) never recover and cease trading.

If you must keep your own electronic list of username/passwords - keep it on your own computer, isolated from the internet, locked in a safe, encased in concrete and stored at the bottom of a lake !

 

[antonitus]

I understand your concerns about hacking. If your site is not totally secure, then sure it will be hacked, but you have the option to make it secure by using SSL certificates. There are of course disadvantages and advantages having stored passwords. It will be very difficult to hack a site if these passwords were kept in folder/file before the public_html folder. Why can't the control panels just create a password list before this folder where it is password protected. I've been with Heart Internet for over 10 years and there was no hacking there. The only sites that were hacked are either Joomla or Wordpress. It's up to the host reseller to secure their sites.

 

[rpvw]

I am really sorry, but if you think that having an SSL certificate on a site will secure it from hacking, I think you need to do some further research.

Obsolete SSL, badly configured TLS, XSS, Information Leakage, attacks on CMS (irrespective of weather they are your sites or not), phishing (targeted or not), reused passwords from social media site (yes even Mark Zuckerberg’s Twitter and Pinterest accounts were the same, and hacked over the weekend), badly configured shell and/or sudo permissions, server processes that are not jailed to their users....the list is endless; and can all contribute to a server wide exploit where the fact that a password file is kept above the webroot is totally irrelevant.

The fact that the webhost you use has never been hacked (that we know of) is a tribute to their vigilance and professionalism, but it will only take the smallest mistake or over-site by a server admin, reseller or even a website owner/operator to make even the best security measures ineffectual.

Remember, the vulnerabilities that are introduced to a computer may be the result of the best intention updating to the latest software/plugin versions - and the developers got it wrong and left a gaping big back door open - or even a small crack that a determined hacker can force wider !

If you think that your particular server deployment is invulnerable (utopia is a totally secure and invulnerable web hosting environment), by all means recommend that your users keep a file of all their passwords in their account somewhere - but I wouldn't advertise the fact that you are doing that or you might start to see your webhost getting irritated by the number of hacking attempts it is having to fend off Good luck.

 

[antonitus]

Just out of interest, how do you personally store or know every single password for yourself and for all your customers? What if you have over 50 web hosting packages with many databases, ftp's, mailbox accounts. I'm very curious how you control this for yourself and for your customers if something goes wrong. If you can tell me how you manage this and you do it correctly, then I don't mind not seeing the passwords on the control panels. The way I am doing it at the moment is via a text document. I do know there is a possibility of hacking, but those very smart hackers who know how to manipulate and hack a very secure website may not really care about a normal website and sometimes we have to take chances. Websites like Facebook, Twitter, eBay, PayPal, financial websites, etc, now they are the ones the hackers will normally target and disrupt for whatever reason.

 

[rpvw]

I don't know any of my customers passwords for their websites or databases or emails - they sign up, create their own username/password combinations and then create their own emails and install their own apps, either from our app repository or directly themselves. Anything I do for them is communicated to them, and then we destroy any electronic trace we have in our control.

If they need me to work on their applications, I have a paper document for them to complete and fax me with their username/password combination for whatever they want help with, which clearly asks them to change the passwords after the work is completed. It would be naive of me to think they bother, but I DO shred the paper document after we have finished the work.

As far as my own personal passwords are concerned - I could claim a fantastic memory, or tell you they were on a USB flash stick I wear on a cord round my neck - the reality is they are hand written on a piece of paper kept in a safe

but those very smart hackers who know how to manipulate and hack a very secure website may not really care about a normal website

You are quite correct, they have little or no interest in the website itself - but as a portal into a whole server, or as a platform to deliver malware from - now that is worth having !

Don't get complacent because you or your customers have nothing that you see as being valuable. A legit email account is worth big $$$ if it can be used for sending out several thousand spam emails before it is discovered - similarly any web based platform, FTP, webdisk, website etc all have an intrinsic value based on what the bad guys can do with it before they get kicked out.

As a final thought, since the object of the cPanel forum is really to help with cPanel do remember that pretty much 95% of infosec is reactive - that means we are chasing after the bad guys who have already found out how to hack our stuff and we are now trying to stop them - the proactive part involving white-hat hackers, developers and infosec professionals are frustrated by ludicrous and badly written government legislation, the instinct of software companies to never admit there might be a security issue with their software, and the general lack of adequate stress and penetration testing on products, usually determined by the bean counters who see it as an unnecessary expense.

Whilst no product is perfect, cPanel does a pretty good job of giving root admins the tools and features to adequately protect a web server - now if only the admins/resellers/users would actually use them...................

 

[antonitus]

Fair point. Very informative information which has opened my eyes really. You've made me think that you are correct what you say and maybe passwords should not be stored in the control panel. Maybe the cPanel devs could add an option to enable or disable a feature like this. Those who want to use it, is at their own risk.
I'm in the middle of moving my customers web accounts to a new server, so just out of interest, do you use WHMCS to enable your customers to sign up and set up a web hosting package automatically based on what you said in your previous message. I'm very new to cPanel and WHM and I'm learning. It's only be a few days since I opened a new account. You seem to know your stuff

 

[rpvw]

Yes I do use WHMCS as the website and customer interface. I don't do full automation, I have all orders set to moderation, so that they are not set up on the server unless we have manually reviewed and accepted them.

There is no magic formulas for WHMCS/WHM/cPanel. I recommend you add the CSF firewall to your installation and I rather like the CageFS security that CloudLinux brings to the table, but above all, RTFM !!

Some of the seemingly smallest and insignificant settings can have the most profound consequences on your server performance and security. Research what each and every setting does and how it interacts with other settings and decisions you have made, read the manual, use web search to help as necessary, use forums and anything you can get your hands on to help, and do not be afraid to ask questions. At this point I usually just sign off with the old phrase 'Now go out and learn stuff' but I just want to add one word of warning - be very very very very (and a whole lot of other verys) careful when following instructions that folk post on the web. Forum staff and software developers are generally reliable, but make sure you fully understand what everyone is advising you to do. This is particularly important if you start in the land of CL commands ! Make sure you are looking at advice relevant to your versions and not something that was posted 2 years ago and that would now prove dangerous to adopt.

As a last suggestion, do sign up for News Feeds and emails from reputable institutions in the industry. SANS is a favorite of mine along with Out-Law News that has a lot of IT related content, and magazines like The Register can be invaluable in keeping you up-to-date with breaking security and industry news.

Wishing you the best of luck with your endeavors.

 

[Infopro]

There is no magic formulas for WHMCS/WHM/cPanel.

Not true. cPanel does many things automagically to make your life easier.

I'm jussayin'

 

[rpvw]

You know, Infopro is definitely onto something there - I guess the mantra of "If you don't know, leave the settings at default" would be pretty good advice.

cPanel have gone to a LOT of trouble to create an out-of-the-box experience for their users, one has to acknowledge that they (should) have good reasons for setting up stuff in the way that they do (I actually believe they are all from some alien doughnut eating planet, and are secretly trying to take over) so don't second guess them unless you absolutely know you want to mess with it (OH and take copious notes of what you have done so you can go back and undo it if it doesn't perform as expected. )

 

[Infopro]

The Cake is a lie!

 

[antonitus]

Thanks so much for your advice. I've had various reseller accounts since 2000 and currently I am with Heart Internet and I am slowly migrating all my accounts to my new reseller account using cPanel & WHM. Heart Internet used a different bespoke interface, very similar to cPanel. They set up all the hard bits, so it was quite easy to use. I needed a bit of a change as Heart Internet were getting too greedy and charging for almost every service, so enough was enough.

I always go to forums and continually learn new stuff, but I have to admit, I don't normally write stuff down. I have a computing background and I tend to think logically. This will be my demise one day when my brain can't handle it any more.

Wishing you the best of luck with your endeavors.

Thanks a lot, much appreciate your help. You too, best of luck.