Simply the default rules that comes with cPanel after you install mod_securityOriginally Posted by SoftDux
Beta Testers
Simply the default rules that comes with cPanel after you install mod_security
█ TsHosting & Web Design | Custom Mods | Header/Footer Integrations
█ Template Editor | Maintenance Mode V1.0.2 | PayPal Balance V1.0 | ClientArea Popups
█ Plan Comparison | Client Area Home Page | DEFSPARK - Custom Cart Template | Custom PDF Invoice | ErrorPages | TrusticoSSL Module
Member
The real fault lies with whmcs, for not utilizing hosting that is secure. Since whmcs is a billing system, a highly attractive target, they should be running their system from a banking compliant hosting provider, which means restricted access locked room for the servers, as well as additional security limiting online access. 97-99% of stolen company data is done from the inside. That includes direct employees and any contractor employee's, which in this case means hostgator.
It is clear that whmcs needs to start handling it's business with security that is required by credit card transaction regulations. Until that level of security is implemented by whmcs for it's own servers, every user of whmcs is at risk. As not only could the whmcs servers harbor a data post grabber or database dump capability to a remote location, but code could be injected into the whmcs download it self to get credit card data from every company that uses whmcs.
With the potential of hundreds of millions of dollars to be had, strict security needs to be a**ered to by whmcs, as human nature is generally the weakest link, whether it be a disgruntled employee or some one willing to make some money. The lowest paid and least educated employees are generally support personal, yet they are the ones with the ability to access any system at a hosting company.
The incentive of earning thousands or hundreds of thousands or millions of dollars is simply to great to allow average support personal access to servers that hold or process credit card transactions.
This is nothing new, old news and old knowledge, but apparently whmcs is not security minded, hell they cannot even verify their own customers from within their own system, the internal ticketing system is not secure, that is by their own admission.
Whmcs needs to go back to the grindstone and implement better security procedures for its own servers and clear up the security flaw in the ticket system. They may be able to ask for login details to verify their customers, but many users of whmcs do not sell products that allow such a method to be used to verify the customer. So how does a user of whmcs verify a client if the tickets in the ticket system cannot be trusted?
Member
It's real easy to piont a finger when it's not you that got hit...
Member
Form what I'd read, it wasn't the hosting being insecure, it was an employee issue. They were convinced to reveal account details, which could potentially happen on *any* hosting platform.
Member
Answers to security questions such as, for example, mother's maiden name, name of favourite pet or the street you grew up on can be researched by a determined hacker who is targeting someone specific. This gets easier to research with the popularity of social networks such as Facebook where people tend to reveal too many personal details online. That's why I always register answers to these questions that cannot be researched, such as my mother's maiden name is "hamburger" and my favourite pet is "carburetor" or some other nonsense.
Registered User
I Might actually start doing something like this, Like you have said with Facebook etc it's very easy to find answers to some of these questions if you are determined enough to do so.mother's maiden name is "hamburger" and my favourite pet is "carburetor" or some other nonsense.
Member
seems the letters D and H together like ** have been censored on the forum...
Matt Wallis
Company Director
United Communications Limited
www.unitedhosting.co.uk | www.unitedhosting.com
Member
@desynced - With you pal, tried ClientExec, tried ModernBill and grabbed WHMCS in 2005. Yep, downloaded the files for damage control too.
Not doing so is akin to facing a minefield and not having a mine detector to get through. But look, over there, CavalloComm's mine detector isn't being used. I think I'll borrow it and find my way through the mine field. The only other choice is to close my eyes, cover my ears and tip-toe.... no thanks. I'll borrow the mine detector.
Sorry Matt, but I think you understand.
“An elective despotism was not the government we fought for. ” ~Thomas Jefferson
ver 5.2.4
WHMCS since 2005
Member
Yes, and with the new forum, I have severely reduced access and can't fix it.
I reported the issue...
Member
Not so, I believe the properly paranoid sys admin should make it so the bad guys can't get in even if they HAVE the server's root password.
IP restrictions, two factor authentication, VPN access only are all super simple to implement and there are plenty more sophisticated techniques - not to mention not sharing the root password with the upstream provider in the first place (especially losers like Hostgator; that they were being used was the biggest shocker in this whole miserable affair). We should all be doing this stuff, to not do so is just poor management imo.
Member
Unless you own the data centre, any support personnel at a DC with high enough privileges could walk over to your server and reset the root password.
The problem here was that the procedures in place at Hostgator /WHMCS simply were not good enough to prevent this happening.
To be honest though, this issue has been beaten to death now, we all know Hostgator are cack, we all know better security procedures should have been in place at WHMCS and we all know that things must change and improve which I have no doubt they will...
Member
And these are all things you're implementing on your own services/servers? With what provider, please? I'd like to discuss that option with them.
All valid points (especially that last one), and many have hindsightful commentary to add about what they would do to protect themselves "if it were them". I imagine that many don't actually implement that sort of security, and some are probably hosted with the same provider they're tearing up currently.
Happens all the time.
Of course, then you look at others affected by socially engineered attacks, like MyBB. Had nothing to do with their host, it would appear their registrar (Namecheap) mistakenly handed over the domain name. With that, quickly set up a catchall, and start requesting password resets.
Many ways in, and security takes effort...and isn't possible to achieve 100%, IMHO.
Member
Just like any other business WHMCS has to make money, if this means the lease large volumes of licenses to large hosting companies at a lower price this make viable financial sense for the long term success of the business.
It does allow smaller companies to get into the business, resellers or not, this is good for the hosting industry, it brings about good competition, and it weeds out those that are no good because you can switch easily.
Being a major player in the industry doesnt mean your the best, or cheapest, it means you advertised and campaigned well. Now keeping those clients, well thats a different matter. and this is where we come in as website hosts. If we can take just a small fraction of those unsatisfied customers we are taking a piece of their market share.
I am sure this screw up from hostgator is not the first incident, i doubt it will be the last, i know they recently opened a new building in dallas, so you can see they are doing something right there but they are not the be all and end all of the hosting industry.
Now as for WHMCS having millions of copies out there, i should hope that they do, and i hope that it is being hacked all the time. not because i want to see WHMCS go under, but because i want to see WHMCS go from strength to strength so we can all have better more secure systems, if an exploit is not known it cannot be plugged.
Personally, i think if my business was attracting the attention of so many hackers i would be proud of the fact my business is doing so well to be such a prominent focus point for their attentions. In my mind these hackers are validating the very core of what WHMCS stands for simply by trying to undermine it.
I started as a "reseller" with hostgator, i have found their support intermittent at times, slow at others, but on the whole they have been good in support. This is only my stand point on hostgator, and i still to this day use their services for provisioning of clients but not for my whmcs installation, i gave up their free whmcs license about 3 months after i started and never looked back. In the end, the safety and security of my clients rests in my hands, its my reputation on the line when things go wrong and not any third party companies i use.
Resellers, co-locators and webhosts alike would all do well to remember that very fact. when the **** hits the fan, the buck stops with me.
Member
I have said before, security is an ongoing, ever evolving state of mind. Security is not a goal to attain. As soon as one says to them self "I'm there, my stuff is now secure" is the moment their attempt to be secure has failed and it's only a matter of time.
“An elective despotism was not the government we fought for. ” ~Thomas Jefferson
ver 5.2.4
WHMCS since 2005
Member
Absolutely, Softlayer are a good example of that. Firewall off anything related to SSH, RDP, cPanel or whatever, use their VPN over the private network for sole administrative access, leverage their two factor authentication to keep the management portal locked down and don't keep the actual root passwords in that portal. We do much the same elsewhere with Cisco VPNs and also for hardware we have on site with IPSEC.
Nothing is completely bombproof but the above would have totally stopped last week's fiasco in it's tracks, no?
Reply With Quote