The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

warn users against using 127.0.0.1 as a resolver

Discussion in 'General Discussion' started by jester.ro, Oct 23, 2004.

  1. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    Can anyone explain the latest updates to cpanel?

    warn users against using 127.0.0.1 as a resolver

    and

    make sure 127.0.0.1 is never set by default for dns

    what is wrong with using 127.0.0.1 as primary nameserver?
    it's the way it's suppose to be, if the caching nameserver is on localhost.


    what?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There's an explaination here:
    http://tweakgeek.com/node/22

    I agree with the conclusions, but not with "People can add almost any domains they wish to your server". How? Do they mean resellers?

    If your DNS system has been compromised, you've probably got more problems than this.

    It misses the benefit of using 127.0.0.1, which is speedier domain resolution, since you're cutting out at least 1 hop to what might be an extremely busy DNS server that is out of yuour control. I've certainly suffered problems in the past with hosting company DNS servers that go flaky/unreliable and that can cause a great deal of problems for email, for example. Using your own nameserver as a resolver removes that problem.

    Without a more specific threat that is spelled out in technical terms, I'm sticking with my own resolvers on 127.0.0.1
     
  3. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    10x chirpy.

    well, i have my own datacenter, and i still keep all the servers running with 127.0.0.1 as primary resolver.

    it's just about how many points of possible failure you have. Using external resolvers is a bad ideea, and i'm not talking about that extra hop, i'm talking about reliability.

    One failed caching nameserver means fail for all servers depending on it. So why look for trouble?
    I would suggest datacenter owners not to provide nameservers for dedicated clients.

    Anyway, i'm still using 127 as primary ns. It's been like this for ages, and i'm not gonna change it. I just hope that warning will not be visible to users. Cose i'm sick of explaining why the red box appears on top of their whm, about php version 4.3.8 instead of the latest 4.3.9.

    These warning messages should be visible only to root. Not everyone can update php for example the moment it's out. And not everyone is willing to expose to users that the server is running "an insecure apache setup". Fist of all is bad for the image, and second it might trigger unhappy events...like some reseller starting to look for vulnerabilities in curent setup.

    Enough said.
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    exactally!!!! and I don't have resellers any more becuase I sick of them taking down my boxes, click happy I call it. But the 127 ns is the best as far as I am concerned.
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It all comes down to this, the only true secure server is an unplugged server. Certain things like the 127 issue are known "hazards" shall we say of running servers. I agree with chirpy, if someone is in your server far enough to exploit this, then you have far more serious issues than this to deal with.
     
  6. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    A reseller can add any DNS zones they wish. If you are using 127.0.0.1 that means they can do a lot of fun stuff...

    Here's one possibility :

    Let's say I know that cPanel will update the imagemagick RPM tonight. I know the path for the imagemagick download (or can find it out by doing the upgrade myself)

    Now I sign up on your server for a reseller account, create the domain "imagemagick.org" and point it to my own server. At this point, I can feed you a trojaned RPM when you do the rpm upgrade.

    cPanel places restrictions on the main zones, for instance you can't add cpanel.net, etc. But it can't block everyone. When you do RPM installs, etc...using Yum or whatever, someone could easily redirect some of the main download sites and eventually trojan your server. All of this with only reseller access.

    I won't reveal details, but let's just say when someone places warnings in WHM they usually had something happen that convinced them they should. :)
     
    #6 nickn, Oct 23, 2004
    Last edited: Oct 23, 2004
  7. FriedEgg

    FriedEgg Active Member

    Joined:
    Sep 27, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Washington, DC
    Wouldn't it be possible to check whether a domain's registered nameservers point to your server(s) or not? That way only someone who had control over the domain's registered nameservers (at the registrar) could park/add a domain. The only drawback would be a delay in transfering or setting up a new domain, but perhaps it could be an option for those that wish to still use a local dns resolver.
     
  8. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Not if you use 127.0.0.1

    You should use your main server IP or third party DNS servers....not 127.0.0.1
     
  9. webdev1

    webdev1 Member

    Joined:
    Apr 17, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I just got CpanelProxy working yesterday, see cpanelproxy.net, it relies on 127.0.0.1 to allow access to whm, cpanel, and webmail through port 80 while your behind a strict firewall.

    So, if now I remove 127.0.0.1 I will defeat may ability to get to my server when behind that firewall (please don't suggest to ask the system admin to open the ports, many large company firewalls are like this, at the direction of their corporate security).

    So, my request to Nick, could you PLEASE build in a proxy system to WHM/Cpanel/Webmail so we your loyal clients and the multitude of resellers and users can access our servers ?

    The one thing you could do to improve, is to have it work by both http and https, as Cpanelproxy is a challenge to get working on https.

    Your consideration is appreciated, webdev1
     
  10. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    I can not find anything that suggests (nor can I think of any reason to) have 127.0.0.1 as your main resolver in /etc/resolv.conf

    What makes you think this?
     
  11. webdev1

    webdev1 Member

    Joined:
    Apr 17, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi Nickn,
    I don't disagree, I'm fine with removing it, but this was what I was speaking of:

    http://cpanelproxy.net/faq
    Do you think if I remove 127.0.0.1 that the proxy login would work through my site ip ? This seems contray to how cpanelproxy works ?

    Your insight is appreciated, webdev1
     
  12. FriedEgg

    FriedEgg Active Member

    Joined:
    Sep 27, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Washington, DC
    Well, I was thinking that the new domain/domain parking script would check external nameservers to verify that the domain is pointed at your server.

    How does using the actual server IP instead of 127.0.0.1 make a difference? It's still talking to the same local nameserver which could potentially be poisoned.
     
  13. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    If you use the real server IP than the nameserver will check if it is authoritive for the domain, opposed to using 127.0.0.1 in which case the server won't check.

    As for cpanelProxy webdev, I think you're fine, test it and see :)
     
  14. webdev1

    webdev1 Member

    Joined:
    Apr 17, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi Nickn,
    Aha, you were right, it works fine, I removed 127.0.0.1 from resolv.conf, and you can still log in through cpanelproxy.

    A Note to Cpanel.net, It would still be nice for you to build a proxy feature into WHM/Cpanel, to avoid having to set up CpanelProxy.

    So now, back to trying to get CpanelProxy to work under https ???

    Thanks, webdev1
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That I understand. However, if you don't have resellers I cannot see a need for the security warning.
     
  16. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Shared Clients can add add-on and subdomains...you might not catch a "hijacked" domain.
     
  17. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Since everyone's been warned about 127.0.0.1, here's one scenario:

    Reseller/shared client add "zend.com" domain to your server, they then create a quick .htaccess or php script that parses the "getfile.php" command, when your server trys to upgrade next time zend comes out...it gives cpanel a custom tarball..cpanel untars it, executes the install file...

    the install file is actually not an install, it's a quick app that roots your server..badda bing. If it really wanted to be evil it'd continue with the zend install, and you wouldn't know until next chkrootkit

    127.0.0.1 is a BAD IDEA.
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Not if you have WHM > Tweak Settings > Allow Creation of Parked/Addon Domains that resolve to other servers (ie domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.] disabled.

    Just tried it with a server using 127 as the resolver with the above disabled and get, as expected:

    Nameserver ips for test.com are: 208.48.34.135,64.212.106.87,206.165.6.10,209.130.187.10 Sorry, that domain (test.com) is already pointed at an ip address that does not appear to use dns servers on this server or master servers! Please transfer the domain to this server's nameservers or have your admin add one of its nameservers ips to /etc/ips.remotedns and make the proper A entries on that remote nameserver!

    Since it already says that "This can be a major security problem" I'm still waiting to see why this is an issue.
     
  19. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    It says "can be".

    It can be a major security issue, if you don't have that box checked. :)
     
  20. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Do you mean the main server IP or the ns1 IP (if ns1 != main server IP)?
     
Loading...

Share This Page