Jump to content

10 ways to make your WHMCS installation more secure


plateaultd

Recommended Posts

I noticed that several people recently posting about their WHMCS getting hacked. One thing that appears to be missing from all their recommendations is securing your server before it is hacked or after you have cleaned it up. This does not mean it won't be hacked, just less likely.

 

Here is my list of 10 ways to make your WHMCS installation more secure. I am sure others on the forum can add to this list.

 

Start here:

http://docs.whmcs.com/Further_Security_Steps

 

Once you have done there there are additional steps you can take.

A couple of these items refer to cPanel Servers, but can also be done on other servers.*

1. Install Mod Security in Easy Apache. *

Using the default rules are better than nothing, though additional rules are available. It can help block SQL injection attacks.

2. Install mod_geoip for apache, it is a custom module in Easy Apache. *

Using this you can block countries you never do business with.

Want to block the whole country of Florin, it's easy to do by adding a few lines in your .htaccess file, once mod_geoip is installed.

3. Secure the physical server. Only access files on it via SSH/SFTP and relocate the SSH port to something other than 22.

4. Use hosts.allow to prevent SSH access from all but specific locations.

5. Use the built if firewall or a physical firewall to lock the server down. If you never receive email on the server, block incoming port 110, 25, etc. Block port 21 (FTP) as it is insecure. Basically default to blocked for everything and then just open the ports you use.

6. Block all outbound ports except those you use. e.g. 80, 443, 25, New_SSH_Port, etc.

7. Install csf http://configserver.com/cp/csf.html it makes it easier to secure yout server.

8. Use certificates to connect to the server and set really strong passwords.

9. Block root login via SSH.

10. Backup your server and database files off the server. A good backup is like a parachute, if you don't have one when you need it, it's too late.

 

Remember white hats need to be lucky 100% of the time, black hats only need to be lucky once.

Link to comment
Share on other sites

Great tips... Also consider....

 

1) rename the 'admin' folder to something else (change it back temporarily before upgrades/updates)

2) use .htaccess authentication to restrict access to the 'admin' folder

3) protect 'admin' folder further by restricting access to subset of authorised IP addresses (where possible)

 

Just my 2c.

Link to comment
Share on other sites

Excellent points!

 

However, the most recent vulnerabilities were not caught with the default cpanel mod_security rules in testing we did. However, the delayed or subscription based gotroot rules do catch the exploit. I spent all day yesterday testing this out. Yes, the default rules do pickup the older hacks, but not the newer ones. Also, I was unable to get custom rules shared in WHT to work on mod_security as we had it. Those rules were crafted differently. I urge everyone to update their mod_security to current, heavily supported and constantly updated rulesets. All the other good-practices aside (but not to be dismissed!! we do them all), only a good ruleset or the patch worked against this vector.

 

Maybe others have different experiences. I got a better nights sleep after updating our rulesets.

Link to comment
Share on other sites

Excellent points!

 

However, the most recent vulnerabilities were not caught with the default cpanel mod_security rules in testing we did. However, the delayed or subscription based gotroot rules do catch the exploit. I spent all day yesterday testing this out. Yes, the default rules do pickup the older hacks, but not the newer ones. Also, I was unable to get custom rules shared in WHT to work on mod_security as we had it. Those rules were crafted differently. I urge everyone to update their mod_security to current, heavily supported and constantly updated rulesets. All the other good-practices aside (but not to be dismissed!! we do them all), only a good ruleset or the patch worked against this vector.

 

Maybe others have different experiences. I got a better nights sleep after updating our rulesets.

 

 

Speaking of rules, we'll have some cool news soon for this.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated