Filtering automatic login to WHM from WHMCS
Hello.
I've a WHMCS install, which manages two different cPanel servers.
My "reseller users" may login to WHM:
- directly, accessing the cPanel server WHM interface, using username + password + 2FA
- or from their own WHMCS account (simply clicking on "login to WHM"), without the need to use username + password + 2FA
-
Hello @Remitur, Restricting access to whostmgrd on a per-IP address basis is possible using WHM >> Host Access Control, however as you noted this will restrict access to both the WHM UI and WHM API 1 functions. Restricting access to the WHM UI, while at the same time allowing access to use WHM API 1 functionality, isn't supported. Can you provide more information about why you'd like to do this? The reseller can perform the same tasks from the WHM UI that they can perform using a WHM API 1 function. Thank you. 0 -
Can you provide more information about why you'd like to do this? The reseller can perform the same tasks from the WHM UI that they can perform using a WHM API 1 function.
Access to WHM by the user can be protected by 2FA, so API access can be more weak (i.e. I can imagine another system trying a sort of brute force via API calls) So, if I would be able to limit API access by an IP whitelisting, it would be much sure... I guess it would be sufficient to manage web interface login and API calls on two different ports, so I can protect the first by 2FA, and the second by IP whitelisting...0 -
Hello @Remitur, Can you provide a step-by-step example of the method in which a user can bypass the 2FA requirement to execute API functions. This will allow me to reproduce the behavior and better understand the specific scenario you are describing. For anyone else seeing this thread, here's a link to the WHMCS single-sign on document that explains how this works from the WHMCS perspective: 0 -
@cPanelMichael To configure a cPanel server in WHMCS, all I need is to specify its IP and an API Key (or even username and password to access WHM with administrator privileges) CPanel/WHM - WHMCS Documentation WHMCS will do a sort of API call in order to allow the admin (which is yet logged in WHMCS) to trasparently login in WHM too. So, it's easy to imagine an external system which does a brute force against the cPanel server, simply making a lot of those same API calls trying different passwords (password is weaker than API key, and so easier to broken)... 0 -
Hello @Remitur, If I understand correctly, your concern is that by giving WHMCS access to your system through an API token or through the root password, WHMCS is granted the ability to generate login sessions that can be used to access cPanel & WHM without two-factor authentication. If so, I believe enabling two-factor authentication for WHMCS would address your concern: Two Factor Authentication | WHMCS Thank you. 0 -
If I understand correctly, your concern is that by giving WHMCS access to your system through an API token or through the root password, WHMCS is granted the ability to generate login sessions that can be used to access cPanel & WHM without two-factor authentication.
Not exactly... Let me explain: to login directly into WHM, a human user needs username, password and 2FA. So brute force is impossible, and also password stealing is not useful. But to login into WHM using API using (I guess) get_loggedin_url() it's required just username and password. So, first case: I'm a bad cracker, and have stolen the password of my collegue. I can't directly log in, because I have not his smartphone... but I can set up a server, which will do get_loggedin_url() on cpanel and so I'll be in... bypassing 2FA Second case: I'm a brute-force-cracker. My target is a cpanel server. All I need to do is to write a script which every hour will do one thousand of get_loggedin_url() against my target, trying various and different username/passwords... if no one stop me, in few weeks I'll be in... bypassing 2FA. (note: This second one will not work if brute-force protections works also on API calls... but I don't know if it's so)0 -
Hello @Remitur, I'm not able to reproduce the behavior you have described using the steps below: 1. Enable 2FA via WHM >> Two Factor Authentication. 2. Require 2FA via WHM >> Configure Security Policies. 3. Access an account via cPanel or WHM to setup the authentication app. 4. Create the test Perl script found at the bottom of the Configure Security Policies - Version 76 Documentation - cPanel Documentation If you wanted to take it a step further, you could extend the additional security policies to API functions by enabling API requests on the option linked above. Regarding your question about cPHulk, it will detect failed login attempts on the corresponding service it's monitoring. In the case of cPanel/WHM/Webmail logins, it will detect the failed login attempts even if the authentication attempt occurs through a script making use of our API. Thank you. 0 -
I'm not able to reproduce the behavior you have described using the steps below:
I guess that WHMCS's guys found another way to allow the user to log-in via API, without 2FA... :-/ I describe what I'm experiencing: - I go to www.mycpanelserver.com:2087 - I'm asked for username and password; I specify "root" and password - I'm asked for "security code": I give it and I'm in So, 2FA is active for "root", right? Then, let's go to WHMCS I go to "setup" => "Products " => "servers" I choose my yet configured cpanel server ( mycpanelserver.com ), just click on "Login to WHM" ... and I'm in, without the asking for 2FA Note: this happens for administrative interface ("root"), but it works also for resellers (who can access WHM using 2FA, but can access WHM also directly from their client area in WHMCS). And I guess (not yet tested) it works also so for users to access their cPanel interface (mycpanelserver.com:2083 )0 -
Hello @Remitur, Can you take a screenshot of how WHM >> Configure Security Policies is configured on this system and post it here? Thank you. 0 -
Can you take a screenshot of how WHM >> Configure Security Policies is configured on this system and post it here?
0 -
Then, let's go to WHMCS I go to "setup" => "Products " => "servers" I choose my yet configured cpanel server ( mycpanelserver.com ), just click on "Login to WHM" ... and I'm in, without the asking for 2FA
Hi @Remitur, Can you enable API requests via WHM >> Configure Security Policies and verify if you're still able to do this? Thank you.0 -
Then, let's go to WHMCS I go to "setup" => "Products " => "servers" I choose my yet configured cpanel server ( mycpanelserver.com ), just click on "Login to WHM" ... and I'm in, without the asking for 2FA
Can you not use the API restriction avliable in whmcs: Security Tab - WHMCS Documentation to stop external URLs accessing the API and remotleycalling the API to login? That should kind of sort the WHMCS part out I think0 -
Hi @Remitur, Can you enable API requests via WHM >> Configure Security Policies and verify if you're still able to do this?
I looked for a way to do the test but, being production environment, without success... :-( I have a WHMCS test environment available, but have not a cpanel test environment... can you arrange any cpanel test environment for a quick test?0 -
I have a WHMCS test environment available, but have not a cpanel test environment... can you arrange any cpanel test environment for a quick test?
Hi @Remitur, That's not something we can arrange because it involves the transmission of your WHMCS test environment authentication details. However, you should be able to reach out to the WHMCS support team to verify the option will work as intended. Let us know what their answer is. Thanks!0
Please sign in to leave a comment.
Comments
14 comments