As a Server Administrator, I want the ability to limit Remote Access Keys to only explicitly approved IPs, so I can have enhanced security on my server.
his case strictly focuses on Remote Access Keys and from which IP addresses they can be used.
Many contemporary APIs that deal with items that are sensitive in nature like SalesForce let you limit access to only approved IPs. Given that many people only use their keys for DNS Clustering or XMLAPI access for a billing app it would make sense to add this extra layer of security.
I like this idea 
cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:
Developer Documentation
Video Introduction to the Manage API Tokens interface
cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:
Developer Documentation
Video Introduction to the Manage API Tokens interface
Redelin.Tambem esta junto
Redelin.Tambem esta junto
I would love to see this feature implemented, in case of possible data leakage from billing software or any other tool i wouldn't want that key to be used by anyone in the wild. Re-generating the keys is a must, but being able to limit the damage until the exploit is found should be of priority.
I would love to see this feature implemented, in case of possible data leakage from billing software or any other tool i wouldn't want that key to be used by anyone in the wild. Re-generating the keys is a must, but being able to limit the damage until the exploit is found should be of priority.
This is a requirement!
Last year I had someone use an Exploit on my WHMCS installation that emailed the remote access key to a email of choice. This then allowed the user to login and change my server's configuration and breach the billing area. I lost time and money. I had to re-issue all of my SSL Certificates and change every password. This was a annoying task and a IP lock would have assisted in mitigating the attack. I have my billing area now on it's own private machine which, in itself, is near locked down allowing only HTTPS connections. Being able to lock down the access key to only its IP should be a easy feature to develop and will make my system near full proof.
This is a requirement!
Last year I had someone use an Exploit on my WHMCS installation that emailed the remote access key to a email of choice. This then allowed the user to login and change my server's configuration and breach the billing area. I lost time and money. I had to re-issue all of my SSL Certificates and change every password. This was a annoying task and a IP lock would have assisted in mitigating the attack. I have my billing area now on it's own private machine which, in itself, is near locked down allowing only HTTPS connections. Being able to lock down the access key to only its IP should be a easy feature to develop and will make my system near full proof.
Yes please ! We already do this for ssh keys so it makes sense to be able to provide a list of authorised IP's.
Yes please ! We already do this for ssh keys so it makes sense to be able to provide a list of authorised IP's.
We limit root logins with PAM (/etc/security/access.conf), so that root can only login from certain IPs. Just as a precaution for possible brute forcing.
Would limiting whostmgr in tcpwrappers do this as well? I thought that the remote access hash is used only by WHM, so that should work, We already do this on servers without reseller clients, so that WHM is not accessible from anywhere but our office IP.
Add "whostmgr : IPADDR" to /etc/hosts.allow, and then add "whostmgr : ALL" to /etc/hosts.deny.
We limit root logins with PAM (/etc/security/access.conf), so that root can only login from certain IPs. Just as a precaution for possible brute forcing.
Would limiting whostmgr in tcpwrappers do this as well? I thought that the remote access hash is used only by WHM, so that should work, We already do this on servers without reseller clients, so that WHM is not accessible from anywhere but our office IP.
Add "whostmgr : IPADDR" to /etc/hosts.allow, and then add "whostmgr : ALL" to /etc/hosts.deny.
This feature is a necessity. Cpanel needs to prioritize this feature as this will add a strong layer of security for the massive amount of potentially vulnerable billing systems out there.
This feature is a necessity. Cpanel needs to prioritize this feature as this will add a strong layer of security for the massive amount of potentially vulnerable billing systems out there.
Now that we have API CLI commands, we should consider doing away with the access hash entirely, and move to running API commands over SSH only.
Now that we have API CLI commands, we should consider doing away with the access hash entirely, and move to running API commands over SSH only.
While this request is not yet resolved, I wanted to point everyone to some work that we did in 62 as a step in resolving these concerns: remote access keys. This allows you to add many authentication keys, and manage those keys on an individual basis. Future plans include ACLs, IP limitations, and associating them with different (non-root) users.
While this request is not yet resolved, I wanted to point everyone to some work that we did in 62 as a step in resolving these concerns: remote access keys. This allows you to add many authentication keys, and manage those keys on an individual basis. Future plans include ACLs, IP limitations, and associating them with different (non-root) users.
In version 68 we added a slew of new and updated permissions to the access key and reseller systems. Read about them in the 68 release notes: https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
In version 68 we added a slew of new and updated permissions to the access key and reseller systems. Read about them in the 68 release notes: https://documentation.cpanel.net/display/68Docs/68+Release+Notes#id-68ReleaseNotes-NewACLsNewaccessprivileges
cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:
Developer Documentation
Video Introduction to the Manage API Tokens interface
cPanel & WHM's use of access hashes is deprecated, and this request will not be fulfilled. We recommend that users switch to Remote Access Keys at their earliest convenience. Some documentation to help that:
Developer Documentation
Video Introduction to the Manage API Tokens interface
Replies have been locked on this page!