There's a lot out there about various methods to secure SSH access better.
But on a Cpanel server, in my opinion, access to WHM gives the user a degree of privileges near that of logging into SSH via root. So I have a few questions for discussion.
First, let me setup the context for the application of these methods. It's a server that does not have to be HIIPA or FICA compliant. It just has one publicly accessible website running an order management system for employees to access in the office or anywhere they have an Internet connection. There's no financial info, or other sensitive data like Social Security Numbers stored. So the security need on this server I'd describe as "MEDIUM"
1. Disable WHM Root Login: Last time I checked a few years ago, there wasn't a good/recommended way to not require you to login to WHM as root. That right there seems to me defeats the purpose of a lot of SSH hardening techniques such as disabling password login and using public key authentication. If you can still login to WHM via root - what's the point? Ya you can do more as root via SSH but you sure can do a lot via WHM!
2. Restrict access to port 2086/2087 to certain IPs. (What is 2086 even there for anyway as I think you can't login to WHM without an SSL connection?) The problem with this is if the admin wants to access the server from networks where they are getting DHCP assigned IP addresses.
On the SSH side of things, although I pointed out above that if WHM access is through root account password login, then I think the effectiveness of hardening SSH access is extremely diminished.
What is the best "compromise" for hardening SSH access on a server that is essentially "sacrificial" (meaning if it was hacked there wouldn't be any serious damage to the business other than the time it takes to spin up a new VPS and restore a backup of the Cpanel account) but that you'd like to still reduce the chance for unauthorized access.
Well in the vast majority of scenarios the breach had nothing to do with system configuration and was simply poor practice on the users part for storing/maintaining their passwords. So one could argue all of this is sort of moot if your user is emailing passwords back and forth, has post it notes with them, or keeps them in a Word or Excel doc on their cloud drive.
With that said...
1. Disable SSH root login. The user account though in the wheel that can sudo to root if using password login, is just as vulnerable to getting the password stolen as the root password. Is the two step login then really adding that much security? I guess one could argue why not, it's not causing a lot of headache and in the case root password is compromised and user password is unknown, you're protected.
2. Move SSH to non-standard port below 1024. Seems to me most scanners will check all ports up to 1024 for SSH or even higher. This would diminish SSH port 22 hack attempts in the log which would be nice but could also cause headaches for any software that needs SSH access and defaults to port 22.
3. Restrict port 22 to certain IPs. As I previously mentioned, not good for roaming admins. I've done this before and got around it when I was not on a whitelisted IP to use LogMeIn with two-factor authentication to gain access to a PC that was whitelisted. I only did this because the company was already using LogMeIn so no extra cost. Not sure it would be worth it though to just get LogMeIn for this purpose.
4. Disable password login and use Public Key Authentication. 1) Now you have to maintain the keys, and 2) back to the original issue, what's the point if you can still login to WHM with a password?
For my current server in question, this is what I'm thinking the strategy might be:
1) Disable root SSH login and add another cpanel user to the wheel group
2) Block ports 2086/2087 and whitelist admin's usual IP's. If I need WHM access from non-typical IP, I can SSH in and modify CSF config from command line.
What I'm struggling with is if I move or block SSH port. I could block it, and whitelist admin IPs. If I need access from untypical IP I can use LogMein to Windows machine running Xenserver to get consol access to modify CSF config to allow IP. (Kind of a pain)
Or maybe just move it (assuming doesn't break any other applications) to reduce hack attempts and let LFD blacklist attempts by those that discover the new port? Think I'm leaning towards this as opposed to above.
Best practices hardening a Cpanel / WHM Setup?
-
- Junior Member
- Posts: 25
- Joined: 24 Aug 2016, 04:49
Re: Best practices hardening a Cpanel / WHM Setup?
Whitelist your IP in CSF.
Using host access control (cpanel) allow ssh access to your IP or IP's, then deny SSH to all.
Then change the port number to something else.
https://forums.cpanel.net/threads/chang ... hm.108197/
In csf, configure ssh logins to something really low like 3 strikes and your blocked.
My office PC is static IP, however, home is dynamic, so if I get locked out from home, I'd have to RDP on to my office PC to then whitelist myself.
It doesn't happen often where i need access from home, so isn't a massive problem for me.
Using host access control (cpanel) allow ssh access to your IP or IP's, then deny SSH to all.
Then change the port number to something else.
https://forums.cpanel.net/threads/chang ... hm.108197/
In csf, configure ssh logins to something really low like 3 strikes and your blocked.
My office PC is static IP, however, home is dynamic, so if I get locked out from home, I'd have to RDP on to my office PC to then whitelist myself.
It doesn't happen often where i need access from home, so isn't a massive problem for me.