AlmaLinux block access to daemons
Without a hosts.allow in AlmaLinux, how can I block access to daemons?
In Centos 7 this was as easy as:
mysqld : ALL : deny
cpaneld : ALL : deny
and would stop server wide external access to:
mysql
https://cpanel.domain.com –> 401 You don't have access; and
But I can't see how to do this in csf or the new 'Host Access Control' functions which both appear to only apply to port numbers only and no longer daemons.
-
Hey there! Unfortunately the functionality in AlmaLinux is just different and we elected not to manually code a custom firewall interface to handle the differences.
You could still block access to the ports, such as 3306 for MySQL or 2083 for cPanel, and then just allow the IPs that you need to access those areas of the system.
0 -
Hi Rex and thanks for your response.
I confirm that I have working conditional IP blocks on the ports in csf, so requests to https://domain.com:2083 from unathorised IPs time out. But this still allows access to https://cpanel.domain.com which is the same thing, so invalidates the basic security of the port rule.
As a basic security issue, cPanel must have considered this when developing for AlmaLinux?
0 -
cPanel has always had a "hands off" policy when it comes to the firewall - the issue was considered, but it's really no different than our previous approach of using what tools the OS has available, and then letting the admin handle things if additional options are needed.
0 -
Thanks Rex, that's fair enough, but the issue I'm having isn't with the firewall. My issue is the lack of /etc/hosts.allow in AlmaLinux allowing the daemons to be selectively blocked. This doesn't seem to be an issue with other OS's e.g. Ubuntu, Centos7.
In AlmaLinux, without the ability to selectively block cpaneld via hosts.allow or the firewall, how do you recommend selectively suppressing display of https://cpanel.domain.com on multiple accounts server wide?
0 -
Currently we would recommend using third-party firewall tools in order to handle this, since it's no longer included with the operating system. A common tool like CSF integrates with cPanel & WHM in the WHM interface.
0 -
But, as per my previous, CSF will not block https://cpanel.doman.com.
This is actually quite a major issue for security. I really don't like blurting out unrestricted login screens to all and sundry. Any hacker's first port of call will be https://cpanel.domain.com. If I'd known about this, I'd have installed on Unbuntu and filed AlmaLinux in the bargepole category.
0 -
This is the kind of thing I was talking about.
Having urgently double checked the ports are blocked in the firewall, to stop unrestricted access to login screens and avoid exposure to similar issues in future, I'm now looking at being forced to run something like:
/scripts/proxydomains --subdomain=cpanel remove
to update the DNS server wide. Plus look at how to stop these being auto-added when creating new accounts...
It seems much more sensible having the facility for a 'cpaneld : ALL : deny' in a hosts.allow - or similar just to control access to the daemon(s).
Pls advise if anything's changed since my last post on this topic and whether there's anything new in cPanel/AlmaLinux which works like a hosts.allow on the daemons?
0 -
I'm not aware of any differences in the last year.
If you'd like to leave a comment on the feature card at https://features.cpanel.net/c/374-built-in-firewall-management that's where we are collecting data for a new firewall. While this won't take over CSF, it will be a more advanced version built in to WHM for users that want to use it.
0
Please sign in to leave a comment.
Comments
8 comments