Changing domain.com/cpanel
bikegremlin
ModeratorOG
in Technical
When using cPanel shared, or reseller hosting, is it possible, as a user/customer, to disable, or change the login through:
domain.com/cpanel
I have figured out how to disable cpanel.domain.com, but not the /cpanel
BikeGremlin I/O
Mostly WordPress ™
Comments
your host provider will need to disable proxying that sub directory from tweak settings.
I doubt its possible to override that in .htaccess
Xsltel OU | A One-man show powered by 250 grams of brain
Offering reliable hosting services, Server management since 2011 and free cPanel hosting since 2020
Yes - .htaccess from user's cPanel account doesn't help.
Is that a normal thing to ask the provider?
Can it be done on a per-customer level?
I would expect it to require a server restart at least.
BikeGremlin I/O
Mostly WordPress ™
You have to talk to the provider if its only for one or a few domains,
https://forums.cpanel.net/threads/possible-to-disable-domain-com-cpanel-for-client.468861/
https://clients.mrvm.net
actually after further checking I don't see an option to disable that from tweak settings. I mixed that with subdomain in my first reply.
however its possible to achieve that by these commands
cp /var/cpanel/templates/apache2_4/ea4_main.default /var/cpanel/templates/apache2_4/ea4_main.local
then editing the new file
/var/cpanel/templates/apache2_4/ea4_main.local
and finding and commenting these lines
ScriptAliasMatch ^/?controlpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?kpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAliasMatch ^/?securecontrolpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
ScriptAliasMatch ^/?securecpanel/?$ /usr/local/cpanel/cgi-sys/sredirect.cgi
ScriptAliasMatch ^/?securewhm/?$ /usr/local/cpanel/cgi-sys/swhmredirect.cgi
ScriptAliasMatch ^/?webmail$ /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/?webmail/ /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/?whm/?$ /usr/local/cpanel/cgi-sys/whmredirect.cgi
then
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
if someone need to do it on their cPanel server
Xsltel OU | A One-man show powered by 250 grams of brain
Offering reliable hosting services, Server management since 2011 and free cPanel hosting since 2020
If you're using Cloudflare, you can do it using their page rules.
For example: domain.tld/cpanel -> domain.tld.
Though if you're on the free plan, you won't have enough rules if you'd like to redirect all cPanel-related URLs (/cpanel, /whm, /webmail, :2083, :2087, :2096, ...)
How much of a "hacking" risk does leaving those available pose?
A friend got warned about these for their website, and asked me if it could be blocked somehow.
I suppose a good, strong password, with any decent provider (that blocks 1000 tries per minute) should suffice. Am I wrong?
BikeGremlin I/O
Mostly WordPress ™
Not much risk I think and yes you're right, that should be enough.
You could also enable 2FA.
When I attempted to do this, I was concerned about L4 DDoS attacks to the cPanel server, so I wanted to try and make it a bit harder to get the server IP.
I gave up when I found out that there are many URLs and ports to try to redirect/hide.
From what I could tell, when using Cloudflare, you can't get the server's IP, even when you are redirected to domain.com/cpanel.
Of course, whm.domain.com, cpanel.domain.com etc. are disabled (aren't resolved through DNS), and mail.domain.com is not on the website's hosting server.
2FA is a huge hassle, and not sure if I'm too naive, but I'm not a big fan of that. I understand it makes unauthorized access exponentially more difficult.
BikeGremlin I/O
Mostly WordPress ™