A hosting provider is giving us the option of setting up cPanel on our dedicated server. Although I definitely find it useful and convenient to use, is there a security risk in using it?
Yes there is,
Firstly any vulnerability in cPanel would obviously make you vulnerable to attacks that used it. (you are making your attack surface larger by having it)
Secondly the bundled "one click" installs it has are very old and most are vulnerable to some attack or other.
Other than that no.
If your interested in security I would sincerely advise you to use suphp and suexec (for php and perl) as that will run those scripts as a specified user (one user per vhost) which means that if one site is exploited then all your other sites would be safe.
The other method (a better one but slightly more difficult to implement) is to use Apache MPM-ITK or MPM-Peruser, these have the added advantage of affording the same protection to Python, Ruby, Perl ......
At least that is what I have found to work, and what I have done for countless customers.
c10k Consulting : I feel the need to quantify this somewhat, So if we look at security focus : http://www.securityfocus.com/cgi-bin/index.cgi?o=0&l=60&c=12&op=display_list&vendor=cPanel&version=&title=&CVE= There are 5 vulnerabilities there this year, that is on top of the vulnerabilities in the underlying software (apache, bind etc) so by removing cPanel from the mix you reduce the number of vulnerabilities on your system so far this year by 5. The original question was not "I like using cPanel but the fact that having it installed means I am more open - is it a worthwhile trade off" anything that increasesc10k Consulting : your attack surface (even by only 1 vulnerability) is a security risk.Prix : @c10k you sounded like you should unplug your network cable and remove any connections from the internet your computer may have :) that is the only way i am aware of being real safe. Actually you should just blow up your computer this way no one will steal it physically aswell.c10k Consulting : Haha yeah, but to put it into perspective - Plesk has like 6 vulnerabilities over the last 4 years. I worked as the senior SA at a pretty large hosting provider here in NZ. We had about 10,000 customers on our cPanel servers and about the same number on servers running a custom interface written in house. the ratio of "hacked" sites was about 50:1 (cPanel:Inhouse) and it mainly came from the dumb permissions cPanel uses by default and the exploitable one-click-installs. So from real world experience I dislike cPanel.c10k Consulting : But your comments about it being an SA's job to secure the server is dead right. With one large but : cPanel is given to people who buy dedicated servers with the promise "with cPanel you wont need a systems admin" and due to this there are massive numbers of old broken cPanels out there. Unless the OP is going to be hosting thousands of sites he would be better to set all the subsystems up by hand and learn how it all works and then learn how to secure it - or to pay someone to do this. cPanel does NOT setup a server in a secure way by default. So yeah I feel that it is a security risk.From c10k Consulting -
cPanel / WHM is merelly a tool weather there is security risk within it or not is up to your System Administrator to take care of it.
Over 50%+ of the linux hosting companies out there use cPanel or other similar tool and they all have their good and bad sides and what covers it is the System Administrator capabilities.
cPanel is merelly all the application you usually see such as apache, bind, exim, php, and so forth meaning that if they are not kept up to date and it is not correctly configured it may result in a hole on your system.
Let's make it simple think of cPanel as a newly brand linux installation, once it is done, there are still lots of work to do to make it secure.
c10k Consulting : with the caveat that you can only make limited changes to the config files of apache, bind, postfix etc as cPanel will overwrite any changes that were not made from within it and the sections that you can access via the WHM are a bit limited - especially when it comes to the mail sub system.Prix : which is EXACTLY why the System Administrator is the most important thing behind it, if he has enough knowledge there are ways to maintain files untouched and/or options to rewrite those files with needed changes but that is uncalled for, what you are looking for is not about how to edit those files but hence how to make your system stronger and protected. On apache for example, cPanel has already a built-in script that will automaticly recompile all tools used with suPHP, suEXEC, will chroot users and so forth but that does not comes with the default installation of cPanel.Prix : As for BIND you can wrap your own TEMPLATE for how you want the ZONES to look like. But there is more to it, knowing iptables, linux, bash, what to keep up to date and how to keep it up to date. Make sure you have the right permission per directory, secure the /tmp, this is not even closer to how much more there is to make the server secure which IS WHY weather it is secure or not is not a cPanel thing but a SYSTEM ADMINISTRATOR job. **I could keep going on things to know and what to do but instead i resumed it with the answer bolded text.**From Prix -
Caveat: I've not used cPanel as an admin or a user for some time, but used to administer a couple of cPanel managed servers.
cPanel in itself is not a particular security concern as most of the core components are standard and cPanel are quick to release updates following upstream security fixes these days.
There are a few things to consider though:
- cPanel generally gets installed on a fresh system, if this is an existing server rather than a new commission there may be extra problems - at very least you should ensure a full backup is taken before the install takes place
- While a standard cPanel install is reasonably well locked down it is worth reviewing standard lock-down techniques (like hardening your SSHd config as appropriate) to make sure everything it up to your normal standards
- Running cPanel does mean you have extra services (the cPanel management interfaces) exposed to the outside world and any extra service that is publicly addressable increases your potential attack surface area (if, for instance, someone discovers a hole in cPanel that allows admin access without correct authentication, you are potentially vulnerable until the cPanel people diagnose the problem and create+test+release an update). To mitigate this (these tips are relevant for other services too, not just cPanel):
- Make sure you install updates to cPanel, and your base OS, in a timely manner.
- Make sure you follow all security recommendations from the cPanel documentation and other trusted sources unless you have very good reason for not doing so (and have other provisions in place to mitigate any issues your deviation from the recommendations might open)
- If you have cPanel installed just for your own convenience, i.e. you do not intend others to offer shared hosting and let your users use cPanel themselves, set firewall rules such that its management interfaces can only be accessed from your locations (or firewall it off from all but local connections and install setup something like OpenVPN so you can access it that way)
- Assuming the root/reseller interface still runs on a different port to the interface for lesser privileged users, you can be selective with firewall rules above so that the base user interface is publicly available but the admin interface(s) are not
- If you do have other user accounts on the system, ensure that they keep scripts the install (from cPanel auto-installs or other add-ins) uptodate - this is not managed automatically IIRC. This counts for any code the users add, not just through the cPanel interface or similar, but it is important to check as one-click install options give people a false sense of security in my experience, as they tend to assume the system and its admins will take care of updates automatically and this is not usually the case.
From David Spillett -
(damn low reputation)
Just my 2 cents:
cPanel is just as secure as experienced is the SA who manages it. However, here are 2 links to help you get started with something more than just the default installation:
- www.thecpaneladmin.com > Awesome blog with tips'n'tricks for many complicated procedures in cPanel
- www.configserver.com > Some of the best free helper scripts to use with cPanel, escpecially if you are a newbie. Their CSF firewall/bruteforce detection script is plain awesome and extremely helpful!
From priestjim
Post a Comment