Blog

Script to Block WHM Root Access from Unknown IPs

Tags: cPanelSecuritywebhostingWHM

Published on: July 25, 2016 by Shafeer P

Script to Block WHM Root Access from Unknown IPs

Scenario:

In a Shared Hosting cPanel server, the WHM root access is required for authorized technicians and API calls (like WHMCS) only. In majority cases, the shell access or root level access is restricted only to the web hosting support or server management professionals. Being a popular web hosting control panel, cPanel is exposed to various type of security attacks. Some times an infected or hacked client device with the logins,  can be catastrophic if they are able to access the WHM as root user. So limiting the WHM Root access to known IPs provides additional layer of security. Here I am making an attempt to develop a bash script to restrict the root level WHM access after cross checking it with the known IPs list.

How the Script Works?

This script can actively monitor the cPanel access_log (/usr/local/cpanel/logs/access_log) for any WHM Root access and block the source IP if it is not present in the custom whitelist.

The Shell (bash) Script

For servers having CSF installed and running
#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503   PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log   for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 csf -d {} "do not delete - Suspicious WHM root access" &>> $LOG_FILE
For servers without CSF / Directly block in IPTABLES
#!/bin/bash ## Block WHM root access from non-whitelisted IPs ## Version: 20160503 PID_FILE=/var/tmp/whm_watch.pid WATCH_FILE=/usr/local/cpanel/logs/access_log WHITE_LIST=/root/scripts/whm_watch_whitelist LOG_FILE=/root/scripts/whm_watch_log for CUR_PID in `cat $PID_FILE 2> /dev/null`;         do         if grep $0 /proc/$CUR_PID/cmdline &> /dev/null         then         if [[ "$1" == "kill" ]]                 then                 pkill -TERM -P $CUR_PID                 exit 0                 fi         echo "WHM Watch is already running... (PID $CUR_PID)"         exit 1         fi done echo "WHM Watch started (PID $$)" echo $$ > $PID_FILE tail -f $WATCH_FILE | grep --line-buffered -E ' - root ' | grep --line-buffered -Po "^[0-9\.]*" | grep --line-buffered -vf $WHITE_LIST | xargs -r -i -n 1 /root/scripts/deny_in_iptable.sh {} &>> $LOG_FILE

The above script require the following additional script to log and block the IP address:

/root/scripts/deny_in_iptable.sh
#!/bin/bash if iptables -A INPUT -s $1 -j DROP   then echo "[`date`] IP Address $1 blocked in IPTABLES"   service iptables save &> /dev/null fi

Note: The above script requires executable permission.

Configuration

The allowed IP address can be specified in the following formats:

/root/scripts/whm_watch_whitelist
123.123.1.2 ^111.222 ^222.

123.123.1.2: This IP is allowed.

^111.222: Any IPs begin with 111.222 are allowed.

^222: Any IPs begin with 222 are allowed.

Start/Stop the Script

The script can be started and backgrounded in the following way:
# sh /root/scripts/whm_watch &

The & will send the process into background.

To stop the backgrounded script:
# sh /root/scripts/whm_watch kill

Known Bugs & Limitations

  • Need to restart the script to reload IP whitelist modifications.
  • Need to Stop then Start to restart the script.
  • The script may try multiple times to block a single IP. This may create duplicate entries in IPTABLES.
  • Commenting not allowed in whitelist
  • No Email alerts for IP block instance.
  • CIDR notation is not supported in whitelist
Get 24/7 expert server management

Category : cPanel, Linux, Security

Shafeer P

Shafeer P

Shafeer is currently working as Senior System Engineer at SupportSages. He is capable of tackling time-consuming issues quickly with his advanced scripting abilities. His unchallenged expertise in solving complex issues in a cut-and-dried way makes him a dependable man in the team. The attitude and philosophy he shows on his workplace make his colleagues call him 'Mr. Perfectionist'. Furthermore, he is a travel and photography enthusiast, and loves to spend his leisure times on music and DIY arts.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items