Skip to main content

AlmaLinux block access to daemons

Comments

6 comments

  • cPRex Jurassic Moderator

    Hey there!  Unfortunately the functionality in AlmaLinux is just different and we elected not to manually code a custom firewall interface to handle the differences.

    You could still block access to the ports, such as 3306 for MySQL or 2083 for cPanel, and then just allow the IPs that you need to access those areas of the system.

    0
  • FredQ

    Hi Rex and thanks for your response.

    I confirm that I have working conditional IP blocks on the ports in csf, so requests to https://domain.com:2083 from unathorised IPs time out. But this still allows access to https://cpanel.domain.com which is the same thing, so invalidates the basic security of the port rule.

    As a basic security issue, cPanel must have considered this when developing for AlmaLinux?

    0
  • cPRex Jurassic Moderator

    cPanel has always had a "hands off" policy when it comes to the firewall - the issue was considered, but it's really no different than our previous approach of using what tools the OS has available, and then letting the admin handle things if additional options are needed.

    0
  • FredQ

    Thanks Rex, that's fair enough, but the issue I'm having isn't with the firewall. My issue is the lack of /etc/hosts.allow in AlmaLinux allowing the daemons to be selectively blocked. This doesn't seem to be an issue with other OS's e.g. Ubuntu, Centos7.

    In AlmaLinux, without the ability to selectively block cpaneld via hosts.allow or the firewall, how do you recommend selectively suppressing display of https://cpanel.domain.com on multiple accounts server wide?

    0
  • cPRex Jurassic Moderator

    Currently we would recommend using third-party firewall tools in order to handle this, since it's no longer included with the operating system.  A common tool like CSF integrates with cPanel & WHM in the WHM interface.

    0
  • FredQ

    But, as per my previous, CSF will not block https://cpanel.doman.com.

    This is actually quite a major issue for security. I really don't like blurting out unrestricted login screens to all and sundry. Any hacker's first port of call will be https://cpanel.domain.com. If I'd known about this, I'd have installed on Unbuntu and filed AlmaLinux in the bargepole category.

    0

Please sign in to leave a comment.