I would like reseller to have access to cpHulk
Open Discussion
I would like to be able to give some Resellers ability to manage cPHulk (mostly to unban Ips)
I think this is crucial because I can't give the root to these users.
In link to this topic:
http://forums.cpanel.net/f5/possible-give-reseller-account-access-cphulk-cfs-similar-352061.html
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This is a must for cPanel..
This is a must for cPanel..
In its current presented form, I cannot see this feature being added to cPanel & WHM. It presents several security concerns.
The first of which is related to the reason you say you want resellers to have access to this feature. Managing the server's firewall or firewall-like systems like cPHulk, from a system administration standpoint (not taking into account cPanel & WHM) should really only ever be a root user/server owner operation.
Allowing this behavior for non-root users opens up major security concerns. While your intention is to open it for convenience (to allow your reseller to unblock their customers who accidentally blocked themselves), there's no way to attribute a blocked IP to a given reseller or resellers' customer. This means ANY blocks that activate could be unblocked by ANY reseller, meaning some resellers may just blanket unblock IPs and cause significant risk to your server for attacks - negating cPHulk wholesale.
The second major concern I have is that this means anyone with a reseller account on your server can then brute-force the server without impedance.
[1] Buy a reseller account on your server
[2] Start brute-forcing accounts
[3] Unblock yourself with some other device on another IP.
[4] Rinse and repeat Steps 2 and 3 until successful.
Those are just the two major security concerns I have without much thought on it. As a result, I do not see this feature as realistic. It presents way too severe of security risks.
In its current presented form, I cannot see this feature being added to cPanel & WHM. It presents several security concerns.
The first of which is related to the reason you say you want resellers to have access to this feature. Managing the server's firewall or firewall-like systems like cPHulk, from a system administration standpoint (not taking into account cPanel & WHM) should really only ever be a root user/server owner operation.
Allowing this behavior for non-root users opens up major security concerns. While your intention is to open it for convenience (to allow your reseller to unblock their customers who accidentally blocked themselves), there's no way to attribute a blocked IP to a given reseller or resellers' customer. This means ANY blocks that activate could be unblocked by ANY reseller, meaning some resellers may just blanket unblock IPs and cause significant risk to your server for attacks - negating cPHulk wholesale.
The second major concern I have is that this means anyone with a reseller account on your server can then brute-force the server without impedance.
[1] Buy a reseller account on your server
[2] Start brute-forcing accounts
[3] Unblock yourself with some other device on another IP.
[4] Rinse and repeat Steps 2 and 3 until successful.
Those are just the two major security concerns I have without much thought on it. As a result, I do not see this feature as realistic. It presents way too severe of security risks.
Your point is right, but it can be easily addressed with this measures..
1) Only allow every IP to be unblocked once per day.
2) System admins can decide wich resellers have access to this feature and wichs not.
In most of the cases, normal users who forgot their email/cpanel password are blocked, and not bots/hackers.. so allowing just 1 unblock per IP will save time to end users/resellers, and also will decrease the work load of the companies and datacenters..
Besides that, actually it is insecure too, as nobody on the datacenter monitors wich ips are being unblocked.. on most of the providers and datacenters, you just open a ticket with the IP that is blocked and they instantly unblock it without asking anything or checking if it was already unblocked recently.. repeat that step lots of times and you have another vulnerability...
Your point is right, but it can be easily addressed with this measures..
1) Only allow every IP to be unblocked once per day.
2) System admins can decide wich resellers have access to this feature and wichs not.
In most of the cases, normal users who forgot their email/cpanel password are blocked, and not bots/hackers.. so allowing just 1 unblock per IP will save time to end users/resellers, and also will decrease the work load of the companies and datacenters..
Besides that, actually it is insecure too, as nobody on the datacenter monitors wich ips are being unblocked.. on most of the providers and datacenters, you just open a ticket with the IP that is blocked and they instantly unblock it without asking anything or checking if it was already unblocked recently.. repeat that step lots of times and you have another vulnerability...
As stated by @cPanelBrianO, I see this as way too large a security risk. All it takes is one malicious user to do some damage.
You may say that you could apply permissions to use this to certain resellers only but as Web Hosting is an online business, how sure are you of one's integrity? It's so easy for somebody to fall through the cracks and cause some serious damage.
It's a down vote for me I'm afraid.
As stated by @cPanelBrianO, I see this as way too large a security risk. All it takes is one malicious user to do some damage.
You may say that you could apply permissions to use this to certain resellers only but as Web Hosting is an online business, how sure are you of one's integrity? It's so easy for somebody to fall through the cracks and cause some serious damage.
It's a down vote for me I'm afraid.
You can give them access right now and set up your own rules. :)
If you dont trust the reseller of if the reseller is too noob you dont give him access.
You could also have an activity log for those pesky users @PeterBishop is talking about.
You can give them access right now and set up your own rules. :)
If you dont trust the reseller of if the reseller is too noob you dont give him access.
You could also have an activity log for those pesky users @PeterBishop is talking about.
cPhulk now has a system to not block an IP if it tries the same password multiple times.
With our current setup cPhulk doesn't block may real customers.
I quite like the idea of resellers being presented the list of IPs that are blocked for trying to access accounts they have on their account. And having a limit to how many times an IP can be unblocked per 24 hours.
This would not allow resellers to see IPs blocked for using a wrong username and as now when setup correctly there are very few false positives I'm not sure it's worth the effort
cPhulk now has a system to not block an IP if it tries the same password multiple times.
With our current setup cPhulk doesn't block may real customers.
I quite like the idea of resellers being presented the list of IPs that are blocked for trying to access accounts they have on their account. And having a limit to how many times an IP can be unblocked per 24 hours.
This would not allow resellers to see IPs blocked for using a wrong username and as now when setup correctly there are very few false positives I'm not sure it's worth the effort
Replies have been locked on this page!