Hacker News new | ask | show | jobs
by yazboo 1951 days ago
I have (had, I guess) a Wordpress site on here. They sent an email about the hack but somebody had already changed my password and recovery email in cPanel. They haven't changed the Wordpress admin credentials though, so I'm exporting what I can.
1 comments
passthejoe 1951 days ago
I didn't realize cPanel was such an attack surface.
link
majewsky 1951 days ago
It's a web interface that gives you full admin access to a website. That's exactly where I would look for vulnerabilities if I were an attacker.

I know I'm going to get flack for victim blaming, but not putting something like cPanel behind a VPN or SSH reverse proxy is on the same level as not wearing a seatbelt. At this point we should all know better, and those who don't will have to suffer the consequences.

link
x86_64Ubuntu 1951 days ago
If my users have to access the cPanel from wherever they may be, how does a VPN or SSH reverse proxy help? Not trolling, I'm genuinely ignorant of top level security practices.
link
EricE 1951 days ago
Because instead of exploiting cpanel directly from any random IP on the Internet globally, attackers first have to compromise your VPN connection.

It's a pretty significant barrier and dramatically reduces the amount of attack surfaces out there.

Mobile/Desktop OS's have come a LONG way in VPN support, so requiring VPN access for critical access (and administrative access should always be considered critical!) is not near the barrier of entry it used to be. Heck anyone can set a VPN server up on a raspberry pi in minutes that can handle hundreds of megabits of traffic - piVPN with Wireguard is drop dead simple to configure and deploy (WAY easier than the mess that is OpenVPN); the amount of friction to implement a VPN these days is just about negligable. It's a harder problem for service providers like this one that have thousands of customers - but they certainly had some sort of user account management/provisioning system; it' way past time to expect those to be able to handle security certificate management too.

It's far less effort than cleaning up messes like the one being profiled here! And if you have sensitive data? Once your system is compromised it's no longer sensitive. It's now public knowledge :p

link
EricE 1951 days ago
>not putting something like cPanel behind a VPN or SSH reverse proxy is on the same level as not wearing a seatbelt

Exactly. It's astonishing at the amount of crap that has absolutely no business being directly connected to the Internet but shouldn't be.

Convenience or security - it's either/or not a yes/yes.

link