Results 1 to 11 of 11

Thread: cPanel Concerns

  1. #1

    cPanel Concerns

    I've been in the hosting business a good few years now, over that time I've developed a few OK scripts for web management, but now I am considering something like cPanel/DirectAdmin.

    My partner is really pushing for cPanel, although I have some concerns about it.

    After speaking with their tech support, they don't support cPanel in NAT environment, ie. behind a firewall. Over the last few years, I haven't even consider putting a server live on the internet unless it was behind a hardware firewall.
    But I can't with cPanel and I assume the other control panels out there are the same.

    How have you guys addressed the security concerns of running cPanel without hardware firewalls. Has iptables been sufficient, o are you doing something else?
    Or even nothing at all?

  2. #2
    Join Date
    Jan 2007
    Location
    NSW, Australia
    Posts
    24
    We've been running both hardware firewalls in some environments with CSF (ConfigServer) without any hassles in others.

    In comparison, I must say that we've had nothing but fantastic results from CSF...sometimes a little too fantastic with our techs occasionally locking themselves out because of how our firewalls are tuned :p

    CSF comes highly recommended from us, with or without a hardware firewall in front of it

    Regards,

    Dale Evans
    Manager

  3. #3
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    645
    Netfilter (ie. iptables) is more than sufficient for securing cPanel, as most security problems are associated with unpatched software flaws, not exploited unused services sitting on open ports. But many continue to worship the almighty Cisco PIX like its a panacea to security concerns and a substitute for understanding the OS and the services its running. It isn't.

    If you are only securing one server, and its a cpanel server I would recommend just using netfilter. For securing multiple machines behind one firewall you would want a dedicated PC running netfilter or use something like a PIX.

    You need to keep all your most risky ports open anyway in either case for them to be accessible. If you get compromised it would be through the firewall, be it hardware or netfilter.
    VPSVille.com
    Toronto, London, Dallas, Los Angeles
    Quality VPS hosting on Premium bandwidth

  4. #4
    Greetings:

    Have you looked at other automation systems especially those that offer complete hosting automation (not partial like cpanel)?

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  5. #5
    Join Date
    Aug 2001
    Posts
    4,028
    Quote Originally Posted by dynamicnet View Post
    Greetings:

    Have you looked at other automation systems especially those that offer complete hosting automation (not partial like cpanel)?

    Thank you.
    Such as? lol... nice personal plug!

  6. #6
    Join Date
    May 2003
    Location
    The Netherlands
    Posts
    298
    There are other firewall options besides NAT....

    The problem with cPanel (and -some- other panels) is, that the public IP must be on the server for license reasons, I suppose. So if you can have the public IP on a nic, you'll be fine.
    SuperRacks Ltd European Hosting
    We serve you with custom services
    Visit our website or ask for a custom quote
    Quality linux and Windows hosting, servers and collocation

  7. #7
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    563
    Quote Originally Posted by Host3000 View Post
    There are other firewall options besides NAT....

    The problem with cPanel (and -some- other panels) is, that the public IP must be on the server for license reasons, I suppose. So if you can have the public IP on a nic, you'll be fine.
    From a licensing perspective, a 1:1 ratio of cPanel/WHM servers to public IP addresses (with no 2 servers ever swapping addresses) in a NAT setup will work.

    However, if you were to request technical support, you would be asked to bring your server outside of a NAT setup as we do not officially support NAT nor do we troubleshoot NAT-related issues.

    Keep in mind, many data centers already place their customers' servers behind a hardware firewall. You may wish to inquire with your data center to see if your server would already be behind such a hardware firewall.

    Remember, not all hardware firewalls rely on Network Address Translation.

    In terms of software firewalls, I've heard many praises from our customers about CSF and its integration into WHM so you may also wish to consider that as an option.
    David Grega
    cPanel Technical Product Specialist

  8. #8
    Join Date
    May 2003
    Location
    The Netherlands
    Posts
    298
    Quote Originally Posted by cPanelDavidG View Post
    From a licensing perspective, a 1:1 ratio of cPanel/WHM servers to public IP addresses (with no 2 servers ever swapping addresses) in a NAT setup will work.
    Thanks for clearing that up. Didn't know that. The rest would be addressed @kieran2 I think?
    SuperRacks Ltd European Hosting
    We serve you with custom services
    Visit our website or ask for a custom quote
    Quality linux and Windows hosting, servers and collocation

  9. #9
    Thanks for clearing some things up.

    I managed to get cPanel partially working in a 1:1 NAT enviroment, but vhosts wouldn't work. I did contact support but was told to move it to a public address. I shouldn't have told cPanel I was NATing

    It feels a bit of a step back for me as I'm used to running my mail and web servers behind firewalls for that extra piece of mind, but I do agree with the comments that most exploits are based on the common protocols that the firewall passes through anyway.

  10. #10
    Quote Originally Posted by dynamicnet View Post
    Greetings:

    Have you looked at other automation systems especially those that offer complete hosting automation (not partial like cpanel)?

    Thank you.
    I did look at HSphere but I was put off by this
    "H-Sphere can be installed only on public IPs."

  11. #11
    Join Date
    May 2007
    Location
    Ukraine
    Posts
    161
    H-Sphere can be installed only on public IPs
    wow, probably i missed something...

    As far as i know, there are hosters running H-Sphere behind the NAT, and if they were requested technical support, they never were asked to bring servers outside of a NAT setup because "it is not supported".

    Actually, H-Sphere does work in NAT environment, we still can see this documentation page:
    http://www.psoft.net/HSdocumentation/sysadmin/nat.html

    One important requirement is that servers within one H-Sphere cluster must be able to communicate by external IPs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •