In a Shared Hosting cPanel server, the WHM root access is required for authorized technicians and API calls (like WHMCS) only. In majority cases, the shell access or root level access is restricted only to the web hosting support or server management professionals. Being a popular web hosting control panel, cPanel is exposed to various type of security attacks. Some times an infected or hacked client device with the logins, can be catastrophic if they are able to access the WHM as root user. So limiting the WHM Root access to known IPs provides additional layer of security. Here I am making an attempt to develop a bash script to restrict the root level WHM access after cross checking it with the known IPs list.
How the Script Works?
This script can actively monitor the cPanel access_log (/usr/local/cpanel/logs/access_log) for any WHM Root access and block the source IP if it is not present in the custom whitelist.
The Shell (bash) Script
#!/bin/bash PID_FILE= /var/tmp/whm_watch .pid WATCH_FILE= /usr/local/cpanel/logs/access_log WHITE_LIST= /root/scripts/whm_watch_whitelist LOG_FILE= /root/scripts/whm_watch_log for CUR_PID in ` cat $PID_FILE 2> /dev/null `; do if grep $0 /proc/ $CUR_PID /cmdline &> /dev/null then if [[ "$1" == "kill" ]] then pkill -TERM -P $CUR_PID exit 0 fi echo "WHM Watch is already running... (PID $CUR_PID)" exit 1 fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 csf -d {} "do not delete - Suspicious WHM root access" &>> $LOG_FILE
|
|
#!/bin/bash PID_FILE= /var/tmp/whm_watch .pid WATCH_FILE= /usr/local/cpanel/logs/access_log WHITE_LIST= /root/scripts/whm_watch_whitelist LOG_FILE= /root/scripts/whm_watch_log for CUR_PID in ` cat $PID_FILE 2> /dev/null `; do if grep $0 /proc/ $CUR_PID /cmdline &> /dev/null then if [[ "$1" == "kill" ]] then pkill -TERM -P $CUR_PID exit 0 fi echo "WHM Watch is already running... (PID $CUR_PID)" exit 1 fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 /root/scripts/deny_in_iptable .sh {} &>> $LOG_FILE
|
|
The above script require the following additional script to log and block the IP address:
#!/bin/bash if iptables -A INPUT -s $1 -j DROP then echo "[`date`] IP Address $1 blocked in IPTABLES" service iptables save &> /dev/null fi
|
Note: The above script requires executable permission.
Configuration
The allowed IP address can be specified in the following formats:
123.123.1.2 ^111.222 ^222.
|
123.123.1.2: This IP is allowed.
^111.222: Any IPs begin with 111.222 are allowed.
^222: Any IPs begin with 222 are allowed.
Start/Stop the Script
The & will send the process into background.
Known Bugs & Limitations
- Need to restart the script to reload IP whitelist modifications.
- Need to Stop then Start to restart the script.
- The script may try multiple times to block a single IP. This may create duplicate entries in IPTABLES.
- Commenting not allowed in whitelist
- No Email alerts for IP block instance.
- CIDR notation is not supported in whitelist
Add new commentSIGN IN