We are going to actually block port 2082, which is the non-encrypted cPanel port. For a while now (over a year), we’ve directed the servers to forward you when you log in to the server name (to prevent browsers from freaking out when you don’t have an SSL certificate), and to the encrypted cPanel login port (which is 2083). If you logged in by typing in yourdomainname.com/cpanel, it would forward you to https://server.name:2083 so that you could safely log in and so that your login and password was sent encrypted. We programmed this through the server settings, and thought that since we told the server to forward you so you were encrypted, it would do so and not let you be unencrypted at all.

Guess what? Not quite.

Thanks to a client coming on chat this morning, we discovered that those of you who bookmarked pages within cPanel itself using the non-encrypted link could bypass this security mechanism, and happily fly your logins and passwords through the air in plain text. To help combat this, we are firewalling port 2082 on all servers – those of you that have bookmarked unencrypted pages will find yourselves unable to reach your cPanel in the manner you are used to through your bookmark. If you find yourself locked out, you should also take this as a sign that you should log in “the regular way” (http://www.yourdomainname.com/cpanel) so that we can protect you from plain text password volleyball, and should also immediately change your password (as you’ve been using it without encrypting it) as soon as you get in.

If you ever find yourself within your cPanel, Web Host Manager, or Webmail and the link in your browser is http:// and not https://, you are most certainly “doing it wrong”, as we have all logins programmed to operate using SSL. Despite that, it appears cPanel is not foolproof, so make sure that you’re protected.

We have also changed some of the settings on our firewall in general. Previously, we permanently banned IPs caught doing nefarious things. We have changed those bans to expire within 2 hours, so if you or your clients screw up, the port and action will become available to you again after the two hours passes. After a few chances, though, the software will put you back on perm ban, so you still can’t spend all day trying to guess your password. If you don’t know what your cPanel password is, email support and we’ll reset it. If you lose track of your email password, login to your cPanel securely, and simply reset it.

Tags: cPanel, firewall, security

This entry was posted on Thursday, April 10th, 2008 at 1:34 pm and is filed under DrakNet News. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.