Locking down WHMCS?

MannDude · Dec 27, 2013

Best practices?

I just recently installed WHMCS to migrate advertisers away from BoxBilling. Aside from doing normal server-side stuff that I do on all boxes, any tips in particular for WHMCS? How do you stay secure in a sea of bored teenagers trying to exploit you?

HalfEatenPie · Dec 27, 2013

http://docs.whmcs.com/Further_Security_Steps.

http://docs.whmcs.com/Security_Modules

There's a few more you can do (mod_security and such). Also, probably switching from apache to Hiawatha would help a bit.

Let me know if ya need any more help

Aldryic C'boas · Dec 27, 2013

Disable any fields allowing input save for the necessary (registration, tickets)
With this one - since you're working directly with the folks in question, I would advise even disabling registration and handle account creation manually.

[*]Change the /admin, /downloads, /templates_c, and /attachments paths

Prohibit uploads/attachments for the ticket system

[*]ACL the new /admin path

Additional ACLs (see below)

[*]Have as few tertiary services running on the box as possible to eliminate points of compromise

AmazonSES is a very cheap, very solid platform for outbound mail, for example

Honestly, unless you plan to open it to public registration, I would advise requesting IPs from the providers paying for ads, and lock out all external http access outside of those IPs. Pretty much all of us run VPNs or other in-house proxy setups anyway, so if you're not inconveniencing anyone this would be a phenomenal way of avoiding drive-by attempts.

EDIT: fff... English is kicking my ass today.

HalfEatenPie · Dec 27, 2013

Blanked about all the special needs for vpsBoard itself. Yeah restricting access via IP isn't a bad thing at all.

MannDude · Dec 28, 2013

Thanks for the suggestions!

MannDude · Dec 30, 2013

I moved this to the "Operating a VPS Business" forum, and may move other threads I stumble upon around the forum here too to help populate this section. I hate seeing an empty forum

TruvisT · Jan 3, 2014

Few highlights:

- Remove modules/add-ons not required.

- IP Whitelist

- Change Admin Path

- Host on a dedicatd server and secure it.

- Change path names and move outside of public_html

- .htaccess hardening

- Disable uploads

- Host e-mail offsite

- Setup SNORT on a BSD box along with your other favorite HIDS infront of WHMCS. Works better then mod_sec and one less thing to have on your server, especailly if your like us and don't use nginx.

Hxxx · Jan 4, 2014

TruvisT said:
Few highlights:

- Remove modules/add-ons not required.

- IP Whitelist

- Change Admin Path

- Host on a dedicatd server and secure it.

- Change path names and move outside of public_html

- .htaccess hardening

- Disable uploads

- Host e-mail offsite

- Setup SNORT on a BSD box along with your other favorite HIDS infront of WHMCS. Works better then mod_sec and one less thing to have on your server, especailly if your like us and don't use nginx.

Just for curiosity.. Why not nginx?

TruvisT · Jan 4, 2014

hrr1963 said:
Just for curiosity.. Why not nginx?

Opps. That should have been Apache. My bad. Nginx does not support mod_sec natively hence the reference to using SNORT.

nunim · Jan 19, 2014

Grave digging a bit but you should checkout:

http://www.simpleinvoices.org/

or

https://pancakeapp.com/

Both are pretty basic billing systems that should work well for your needs.

Locking down WHMCS?

MannDude

Just a dude

HalfEatenPie

The Irrational One

Aldryic C'boas

The Pony

HalfEatenPie

The Irrational One

MannDude

Just a dude

MannDude

Just a dude

TruvisT

Server Management Specialist

Hxxx

Active Member

TruvisT

Server Management Specialist

nunim

VPS Junkie