Script to Block WHM Root Access from Unknown IPs

Shafeer P

7 min read

Script to Block WHM Root Access from Unknown IPs

Generating audio, please wait...

In a Shared Hosting cPanel server, the WHM root access is required for authorized technicians and API calls (like WHMCS) only. In majority cases, the shell access or root level access is restricted only to the web hosting support or server management professionals. Being a popular web hosting control panel, cPanel is exposed to various type of security attacks. Some times an infected or hacked client device with the logins, can be catastrophic if they are able to access the WHM as root user. So limiting the WHM Root access to known IPs provides additional layer of security. Here I am making an attempt to develop a bash script to restrict the root level WHM access after cross checking it with the known IPs list.

How the Script Works?

This script can actively monitor the cPanel access_log (/usr/local/cpanel/logs/access_log) for any WHM Root access and block the source IP if it is not present in the custom whitelist.

The Shell (bash) Script

For servers having CSF installed and running

#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503   PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log   for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 csf -d {} "do not delete - Suspicious WHM root access" &>> $LOG_FILE

For servers without CSF / Directly block in IPTABLES

#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503 PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 /root/scripts/deny_in_iptable.sh {} &>> $LOG_FILE

The above script require the following additional script to log and block the IP address:

/root/scripts/deny_in_iptable.sh

#!/bin/bash if iptables -A INPUT -s $1 -j DROP   then echo "[`date`] IP Address $1 blocked in IPTABLES"   service iptables save &> /dev/null fi

Note: The above script requires executable permission.

Configuration

The allowed IP address can be specified in the following formats:

/root/scripts/whm_watch_whitelist

123.123.1.2 ^111.222 ^222.

123.123.1.2: This IP is allowed.

^111.222: Any IPs begin with 111.222 are allowed.

^222: Any IPs begin with 222 are allowed.

Start/Stop the Script

The script can be started and backgrounded in the following way:

# sh /root/scripts/whm_watch &

The & will send the process into background.

To stop the backgrounded script:

# sh /root/scripts/whm_watch kill

Known Bugs & Limitations

Need to restart the script to reload IP whitelist modifications.
Need to Stop then Start to restart the script.
The script may try multiple times to block a single IP. This may create duplicate entries in IPTABLES.
Commenting not allowed in whitelist
No Email alerts for IP block instance.
CIDR notation is not supported in whitelist

Script to Block WHM Root Access from Unknown IPs

Shafeer P

7 min read

Generating audio, please wait...

How the Script Works?

This script can actively monitor the cPanel access_log (/usr/local/cpanel/logs/access_log) for any WHM Root access and block the source IP if it is not present in the custom whitelist.

The Shell (bash) Script

For servers having CSF installed and running

#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503   PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log   for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 csf -d {} "do not delete - Suspicious WHM root access" &>> $LOG_FILE

For servers without CSF / Directly block in IPTABLES

#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503 PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 /root/scripts/deny_in_iptable.sh {} &>> $LOG_FILE

The above script require the following additional script to log and block the IP address:

/root/scripts/deny_in_iptable.sh

#!/bin/bash if iptables -A INPUT -s $1 -j DROP   then echo "[`date`] IP Address $1 blocked in IPTABLES"   service iptables save &> /dev/null fi

Note: The above script requires executable permission.

Configuration

The allowed IP address can be specified in the following formats:

/root/scripts/whm_watch_whitelist

123.123.1.2 ^111.222 ^222.

123.123.1.2: This IP is allowed.

^111.222: Any IPs begin with 111.222 are allowed.

^222: Any IPs begin with 222 are allowed.

Start/Stop the Script

The script can be started and backgrounded in the following way:

# sh /root/scripts/whm_watch &

The & will send the process into background.

To stop the backgrounded script:

# sh /root/scripts/whm_watch kill

Known Bugs & Limitations

Need to restart the script to reload IP whitelist modifications.
Need to Stop then Start to restart the script.
The script may try multiple times to block a single IP. This may create duplicate entries in IPTABLES.
Commenting not allowed in whitelist
No Email alerts for IP block instance.
CIDR notation is not supported in whitelist

Script to Block WHM Root Access from Unknown IPs

How the Script Works?

The Shell (bash) Script

Configuration

Start/Stop the Script

Known Bugs & Limitations

Script to Block WHM Root Access from Unknown IPs

How the Script Works?

The Shell (bash) Script

Configuration

Start/Stop the Script

Known Bugs & Limitations

AWS LightSail Automatic Snapshots

Configure SSL on Tomcat 6/7/8/9

Enable TNEF on Linux Servers

Fixing zPanel blank-screen error