Skip to main content

cPanel/WHM is not suitable for dedicated servers. Agree or disagree?

Comments

9 comments

  • ffeingol

    It kind of depends on your use case.  A typical cPanel/WHM users (site admin) is not going to easily transition to a root level WHM user (full server admin) because they simply don't have the skills to do that.  We sell a fair number of un-managed cPanel VPS/dedicated servers, but the clients know how to manage servers.  We also sell a lot of managed VPS/dedicated servers.  On managed servers, we retain root and manage the server for the customer.  They are used to their level of cPanel/WHM so it's an easy transition for them.

    Bottom line, it really depends on your use case and skill set.

    0
  • cPRex Jurassic Moderator

    4 years ago would have been juuuust before my time of being the Forums admin, so don't blame me for that one :D

    I also like ffeingol's answer of "it depends" - ultimately, we don't always know what happens with our product.  Yes, we get UI stats and domain stats and whatnot so I'm sure we could make a very educated guess, but what users do with the system has always ultimately been up to them.

    I do recall from hosting support days there were some users that had only one domain on their cPanel server, but it wasn't common.

    We do have the Solo license type for exactly this situation:

    https://docs.cpanel.net/knowledge-base/accounts/cpanel-solo-license/

    but it is limited to cloud/VPS hardware at this time.  Would you like to see this further expanded to dedicated hardware?

    0
  • spaceman

    Thanks for your replies.

    A little more context for my situation:

    Our agency currently services and supports about 8 cPanel/WHM servers as dedicated, single-tenant servers.

    We're extremely familiar (since 2000) with cPanel/WHM in the context of shared, multi-tenant hosting, so it's logical that our preference is to stick-with-what-we-know when it comes to providing and supporting dedicated servers.

    But what we've seen on a few occasions (like now!) is that one of our clients with a dedicated server decides to use 3rd party services (software and/or agencies) to run security checks on their server, and then they forward this to us for our review and to take corrective action.

    Unsurprisingly, such reports highlight lots of issues (such as open ports) which are either necessary or useful in a shared hosting context, but much less so in a dedicated hosting context.

    We therefore find ourselves under pressure from the client to lock down as many of these issues as we can, without negatively impacting normal website operations.

    Ideally, such dedicated servers would ALREADY be locked down to the max, rather than us having to be reactive to such reports. This could be achieved by:

    1. Support/documentation from cPanel that makes a list of recommendations for locking down a server for single-tenant use, and/or
    2. More settings/configurations in WHM that help us to more easily facilitate the above.

    Additional ideas/feedback on the above would be appreciated.

    Thanks!

    Ross

     

     

    0
  • ffeingol

    Sorry if this is obvious, but have you go into Service Manager in WHM and turned off the services that they are not using?  If you turn them off, then the port won't be open.

    0
  • spaceman

    Hi ffeingol, and thanks for your suggestion.

    Yes, I could do that, and probably will.

    I assume I could do other things too. So what I'd ideally like is a comprehensive article from cPanel that lists all the things I could do to "dumb down" a server for dedicated use.

    I understand 100% that this won't be a one-size-fits-all approach. So any such article should provide the appropriate links/info/guidance to help decide which adjustments to make, and what are the ramifications of making them.

    In my perfect dream world, WHM is able to self-evaluate (best guess even) whether or not any given service or feature is in active legitimate use, and to advise accordingly. I don't think this is too sci-fi! It's like when Google lets me know about the apps I'm using, or Slack tells me what channels I'm not using. Sure, that's a lot simpler equation for Google or Slack to work out than more complex, nuanced server activity. But not impossible.

    0
  • cPRex Jurassic Moderator

    I don't think we'd be able to make such a guide, or "self guess" as each environment is different. 

    0
  • spaceman

    Here's another angle on this whole topic:

    One of the first principles of good security is to start with a server that is highly locked down, and then only add services and permissions when necessary.

    It's the same with user accounts: start by giving a user or role as little as possible, and then progressively grant them more permissions as/when required.

    Given that cPanel/WHM is, out-of-the-box, optimised for multi-tenant shared hosting, it's understandable that (mostly) the opposite approach is taken.

    Therefore, if cPanel/WHM is interested in supporting use cases for dedicated servers, it would be very helpful to get guidance directly from cPanel about this.

    Perhaps, when installing cPanel/WHM for the first time, different profiles can be selected, one of them being a minimalist profile, more suitable for dedicated servers.

    0
  • ITHKBO

    I will throw in my opinion on this matter with some user cases why I think on paper it might work but in practice it is a harder sell.

    We use both servers shared for our clients as well as dedicated for other projects internal or more demanding clients. Both situations how ever the servers get a Linux hardening treatment and minimizations of services and modules before they are ever let through our firewalls.

    Personally I would never trust an company to decide for us what is needed and what is not unless it is required to run the software at all. Self evaluation from software is in my opinion a sure way to riding of a cliff without a supervisor to actually verify any data. We operate in addition several A.I platforms for clients and our own companies and even those make big mistakes sometimes with hundreds or thousands of hours of training date while it is answering a really simple question.

    They in turn at this time can't correct the problem themselves without our input and thus for business critical services they are a extreme risk factor. The best compromise on this in my opinion is a quickscan with only an advisor role after which you or someone responsible can decide to follow the instructions based on your own or group knowledge. Some security software already does this like for Example Config Server Firewall (CSF) has a build in security check and recommendation listing.
    For obivious reasons I can't share the recommendation view but it is normally above this bar.

    Regarding a minimized image it can save a bit of time but not really that much as it will still require the responsible admin to verify that it actually is doing what it should. Because a machine in the current age we live in is not classified as an legal person and thus can't be held responsible for any errors. So if it messes up because you relied on it doing its job fully automatic your in for a bumpy legal ride when it does go of rails in a production environment 

    In my previous work I have had to setup 300+ servers for medical recovery group locations and we had some debate about going with a minimized but manual intensive debian image or relying on a Ubuntu automated profile setup. After a month of running several trial runs we quickly realized that the Ubuntu image sometimes would install Gnome GUI because it simply could not catch some repository items and than went to another which had different requirements listed including gnome dependencies.

    Thus sporadic we ended with a server that had a full interface were they only had to server as headless platform resulting in our auditing software to go full beserk on vulnrability messages. Doing it manually would have cost less time than having to either redo it or remove the incorrect dependencies after. It is one of those field situations that can happen with profile use if not reviewed beforehand.

    Writing a guide instead of a minimized image on the other is also a very much a by use case situation. Best practice for one client might not work or might not even be allowed for another because of country laws or ISO requirements for example. In addition best practice can change almost daily. I receive new recommendations almost every week from several agencies, suppliers and independent contractors, parties. And I can tell you a lot of those will conflict in there best practice on already written guides. Not to mention the separate security advisories because of just another threat group making our lives as server admins miserable.

    An example was the recent XY backdoor situation where an agencies recommended to downgrade XY to version C while one of another reputable company source recommend to downgrade to version B (simplified versioning example) so which should we follow ? Such kind of situations are going to happen a lot. Some clients might need PHP 8 some might never use it. Are you going to include it in the guide as on or off?

    Are you willing to write separate guides for them or different sections? And how long can your guide become before its to long for most to even follow. Not to mention are you going to maintain the guide based on all the independent supplier product live cycles that your own product has integrated or availible with a switch of a button?


    However you can write such guide(s) for your own company and simply maintain it internally and mandate its use. We have several for our servers while we have one additional server that is our guinea pig for testing any new guidelines. And I imagine a lot of companies here are using that method also.

    0
  • spaceman

    Thanks for that considered reply ITHKBO.

    I 100% understand that one server configuration will not suit all use cases.

    But although I say it myself, I quite like my installation 'profile' suggestion for cPanel/WHM, e.g.

    * Minimal
    * Typical
    * Everything

    So, for example, for a new dedicated server, I'd likely choose the minimal installation profile, and then add/tweak services as required.

    0

Please sign in to leave a comment.