AlmaLinux block access to daemons
Without a hosts.allow in AlmaLinux, how can I block access to daemons?
In Centos 7 this was as easy as:
mysqld : ALL : deny
cpaneld : ALL : deny
and would stop server wide external access to:
mysql
https://cpanel.domain.com –> 401 You don't have access; and
But I can't see how to do this in csf or the new 'Host Access Control' functions which both appear to only apply to port numbers only and no longer daemons.
-
Hey there! Unfortunately the functionality in AlmaLinux is just different and we elected not to manually code a custom firewall interface to handle the differences.
You could still block access to the ports, such as 3306 for MySQL or 2083 for cPanel, and then just allow the IPs that you need to access those areas of the system.
0 -
Hi Rex and thanks for your response.
I confirm that I have working conditional IP blocks on the ports in csf, so requests to https://domain.com:2083 from unathorised IPs time out. But this still allows access to https://cpanel.domain.com which is the same thing, so invalidates the basic security of the port rule.
As a basic security issue, cPanel must have considered this when developing for AlmaLinux?
0 -
cPanel has always had a "hands off" policy when it comes to the firewall - the issue was considered, but it's really no different than our previous approach of using what tools the OS has available, and then letting the admin handle things if additional options are needed.
0 -
Thanks Rex, that's fair enough, but the issue I'm having isn't with the firewall. My issue is the lack of /etc/hosts.allow in AlmaLinux allowing the daemons to be selectively blocked. This doesn't seem to be an issue with other OS's e.g. Ubuntu, Centos7.
In AlmaLinux, without the ability to selectively block cpaneld via hosts.allow or the firewall, how do you recommend selectively suppressing display of https://cpanel.domain.com on multiple accounts server wide?
0 -
Currently we would recommend using third-party firewall tools in order to handle this, since it's no longer included with the operating system. A common tool like CSF integrates with cPanel & WHM in the WHM interface.
0 -
But, as per my previous, CSF will not block https://cpanel.doman.com.
This is actually quite a major issue for security. I really don't like blurting out unrestricted login screens to all and sundry. Any hacker's first port of call will be https://cpanel.domain.com. If I'd known about this, I'd have installed on Unbuntu and filed AlmaLinux in the bargepole category.
0
Please sign in to leave a comment.
Comments
6 comments