Locking down WHMCS?

MannDude

Just a dude
vpsBoard Founder
Moderator
Best practices?

I just recently installed WHMCS to migrate advertisers away from BoxBilling. Aside from doing normal server-side stuff that I do on all boxes, any tips in particular for WHMCS? How do you stay secure in a sea of bored teenagers trying to exploit you?
 

Aldryic C'boas

The Pony
  • Disable any fields allowing input save for the necessary (registration, tickets)
    With this one - since you're working directly with the folks in question, I would advise even disabling registration and handle account creation manually.
[*]Change the /admin, /downloads, /templates_c, and /attachments paths
  • Prohibit uploads/attachments for the ticket system
[*]ACL the new /admin path
  • Additional ACLs (see below)

[*]Have as few tertiary services running on the box as possible to eliminate points of compromise
  • AmazonSES is a very cheap, very solid platform for outbound mail, for example

Honestly, unless you plan to open it to public registration, I would advise requesting IPs from the providers paying for ads, and lock out all external http access outside of those IPs.  Pretty much all of us run VPNs or other in-house proxy setups anyway, so if you're not inconveniencing anyone this would be a phenomenal way of avoiding drive-by attempts.

EDIT: fff... English is kicking my ass today.
 
Last edited by a moderator:

HalfEatenPie

The Irrational One
Retired Staff
Blanked about all the special needs for vpsBoard itself.  Yeah restricting access via IP isn't a bad thing at all.  
 

MannDude

Just a dude
vpsBoard Founder
Moderator
I moved this to the "Operating a VPS Business" forum, and may move other threads I stumble upon around the forum here too to help populate this section. I hate seeing an empty forum :)
 

TruvisT

Server Management Specialist
Verified Provider
Few highlights:

- Remove modules/add-ons not required.

- IP Whitelist

- Change Admin Path

- Host on a dedicatd server and secure it.

- Change path names and move outside of public_html

- .htaccess hardening

- Disable uploads

- Host e-mail offsite

- Setup SNORT on a BSD box along with your other favorite HIDS infront of WHMCS. Works better then mod_sec and one less thing to have on your server, especailly if your like us and don't use nginx.
 

Hxxx

Active Member
Few highlights:


- Remove modules/add-ons not required.


- IP Whitelist


- Change Admin Path


- Host on a dedicatd server and secure it.


- Change path names and move outside of public_html


- .htaccess hardening


- Disable uploads


- Host e-mail offsite


- Setup SNORT on a BSD box along with your other favorite HIDS infront of WHMCS. Works better then mod_sec and one less thing to have on your server, especailly if your like us and don't use nginx.
Just for curiosity.. Why not nginx?
 
Top