plateaultd Posted October 22, 2013 Share Posted October 22, 2013 I noticed that several people recently posting about their WHMCS getting hacked. One thing that appears to be missing from all their recommendations is securing your server before it is hacked or after you have cleaned it up. This does not mean it won't be hacked, just less likely. Here is my list of 10 ways to make your WHMCS installation more secure. I am sure others on the forum can add to this list. Start here: http://docs.whmcs.com/Further_Security_Steps Once you have done there there are additional steps you can take. A couple of these items refer to cPanel Servers, but can also be done on other servers.* 1. Install Mod Security in Easy Apache. * Using the default rules are better than nothing, though additional rules are available. It can help block SQL injection attacks. 2. Install mod_geoip for apache, it is a custom module in Easy Apache. * Using this you can block countries you never do business with. Want to block the whole country of Florin, it's easy to do by adding a few lines in your .htaccess file, once mod_geoip is installed. 3. Secure the physical server. Only access files on it via SSH/SFTP and relocate the SSH port to something other than 22. 4. Use hosts.allow to prevent SSH access from all but specific locations. 5. Use the built if firewall or a physical firewall to lock the server down. If you never receive email on the server, block incoming port 110, 25, etc. Block port 21 (FTP) as it is insecure. Basically default to blocked for everything and then just open the ports you use. 6. Block all outbound ports except those you use. e.g. 80, 443, 25, New_SSH_Port, etc. 7. Install csf http://configserver.com/cp/csf.html it makes it easier to secure yout server. 8. Use certificates to connect to the server and set really strong passwords. 9. Block root login via SSH. 10. Backup your server and database files off the server. A good backup is like a parachute, if you don't have one when you need it, it's too late. Remember white hats need to be lucky 100% of the time, black hats only need to be lucky once. 0 Quote Link to comment Share on other sites More sharing options...
webmachine Posted October 22, 2013 Share Posted October 22, 2013 Handy tips - consider moving your config.php file outside of the public_html/whmcs directory and calling it with a simple include - and then you can also encrypt the files if you wish for additional security. Scott 0 Quote Link to comment Share on other sites More sharing options...
tomb Posted October 22, 2013 Share Posted October 22, 2013 Thanks for sharing. Also make sure that you disabled Apache Directory Listings. 0 Quote Link to comment Share on other sites More sharing options...
ebmocwen Posted October 22, 2013 Share Posted October 22, 2013 Great tips... Also consider.... 1) rename the 'admin' folder to something else (change it back temporarily before upgrades/updates) 2) use .htaccess authentication to restrict access to the 'admin' folder 3) protect 'admin' folder further by restricting access to subset of authorised IP addresses (where possible) Just my 2c. 0 Quote Link to comment Share on other sites More sharing options...
gPowerHost Posted October 22, 2013 Share Posted October 22, 2013 Excellent points! However, the most recent vulnerabilities were not caught with the default cpanel mod_security rules in testing we did. However, the delayed or subscription based gotroot rules do catch the exploit. I spent all day yesterday testing this out. Yes, the default rules do pickup the older hacks, but not the newer ones. Also, I was unable to get custom rules shared in WHT to work on mod_security as we had it. Those rules were crafted differently. I urge everyone to update their mod_security to current, heavily supported and constantly updated rulesets. All the other good-practices aside (but not to be dismissed!! we do them all), only a good ruleset or the patch worked against this vector. Maybe others have different experiences. I got a better nights sleep after updating our rulesets. 0 Quote Link to comment Share on other sites More sharing options...
IoxHost Posted October 26, 2013 Share Posted October 26, 2013 Some good tips there, WHMCS' Official Further Security Steps can be found here 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted October 26, 2013 Share Posted October 26, 2013 Excellent points! However, the most recent vulnerabilities were not caught with the default cpanel mod_security rules in testing we did. However, the delayed or subscription based gotroot rules do catch the exploit. I spent all day yesterday testing this out. Yes, the default rules do pickup the older hacks, but not the newer ones. Also, I was unable to get custom rules shared in WHT to work on mod_security as we had it. Those rules were crafted differently. I urge everyone to update their mod_security to current, heavily supported and constantly updated rulesets. All the other good-practices aside (but not to be dismissed!! we do them all), only a good ruleset or the patch worked against this vector. Maybe others have different experiences. I got a better nights sleep after updating our rulesets. Speaking of rules, we'll have some cool news soon for this. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.