api key security
Hello,
does it take a moment to secure the API key for package creation via an API request?
Because the generated key (32 characters) does not seem really secure.
Similarly root access to WHM can be limited to some IPs for example?
Best Regards
-
Hello @gildas, does it take a moment to secure the API key for package creation via an API request?
Can you expand on this question? For instance, are you asking how long it takes to generate an API key?Because the generated key (32 characters) does not seem really secure.
Can you provide some details about the specific security concerns you have?Similarly root access to WHM can be limited to some IPs for example?
You can limit access to Web Host Manager using WHM >> Host Access Control, but it's not possible to restrict access by IP address based on a specific username. For increased login security, see the documentation on WHM >> Configure Security Policies: Configure Security Policies - Version 76 Documentation - cPanel Documentation Thank you.0 -
Hello, does it take a moment to secure the API key for package creation via an API request?
Can you expand on this question? For instance, are you asking how long it takes to generate an API key?
is it possible to protect the API with a password or block its use to a specific ip?Because the generated key (32 characters) does not seem really secure.
Can you provide some details about the specific security concerns you have?
I do not have any specific security concerns, but I'm wondering about the length of this API key, because before the generated API key was longer I will look at the link provided, thank you for your return.0 -
is it possible to protect the API with a password or block its use to a specific ip?
Yes, you can enable security policies and extend them to API Requests per the information in the document below: Configure Security Policies - Version 76 Documentation - cPanel DocumentationI do not have any specific security concerns, but I'm wondering about the length of this API key, because before the generated API key was longer
Here's a quote about the differences between access hashes and API tokens: [QUOTE]We deprecated Access Hashes because they had some security concerns we wanted to address. A few big differences between the Access Hash system and the API Token are:- Keys are no longer stored in plaintext
- Keys are no longer stored in the users home directory
- When a key is created the key is displayed just once. After which is stored in a nonreversible encrypted format. You will be unable to see the key again, so please store it somewhere safe.
- As of cPanel & WHM version 68, keys can be created with limited permissions.
Thank you.0 -
This is an old thread, but I have a few related questions: 1.) Is the API Token system protected by some brute force protection by default? (x-number of failures and the remote system is locked out?) 2.) The old remote access key was quite a bit longer than the new API tokens. Is there a reason to limit length of the new API token instead of having a longer key? 0 -
There are some additional details in this thread you might find helpful for question 2: For issue 1, we do have the WHM >> Security Center >> Configure Security Policies page which has the "Limit logins to verified IP addresses" option if you'd like to use that. 0 -
In WHM, there is a warning [quote]When you enable the Security Policy Extensions settings for remote APIs and DNS cluster requests, issues will be hard to diagnose. We recommend you do not enable these extensions unless you fully understand your remote API usage and DNS cluster configuration.
Is this a real world problem, or a very cautious warning message? Can I simply enter the other dns cluster member's IP addresses manually as verified IP address to limit access to those specific IPs?0 -
It's just a warning - since you already know the IPs you're working with you can just add that access and I would expect that to work well. 0
Please sign in to leave a comment.
Comments
7 comments