8 replies to this topic

[phpforfun]

Hey guys, so im working on a custom PHP script, and it interfaces with WHM and cPanel, the problem is that it has a configuration file, that has the WHM key, WHM Username (if other than root), and the WHM password.

Here is an EXAMPLE of the file..

/* IP or FQDN Of server, its best to use the IP

 */

$_config['ip'] = "XXX.XXX.XXX.XXX";


/* Root or the username of the reseller here, if

 * you use a reseller username, you will be

 * restricted to the rights that the reseller

 * has been granted within cPanel/WHM

 */

$_config['user'] = "root";


/* Password for user specified above.

*/

$_config['pass'] = 'XXXXXX'; //root pass


/* Access Hash here, for remote control. If you

 * dont know how to get this. Just login to your

 * WHM backend > "Cluster/Remote Access" > "Remote

 * Access Key", and generate a new key if you dont

 * already have one

 */

$_config['hash'] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";


/* This is needed for the remote information, such

 * as the server status, connections, configs, etc.

 * It is in the root directory of the downloaded ZIP

 * File.

 */

$_config['client'] = "http://XXX.XXX.XXX.XXX/~status/client.php";


/* This is where you specify the ports to check. To add

 * more ports, just add array values, to remove some,

 * remove the line that specifies the port/service.

 * Also modify the ports, if they are not defaulted to the

 * below values.

 */

$_config['checkPorts'] = array(

        "HTTPD" => 80,

        "SSH"   => 22,

        "MySQL" => 3306,

        "POP3"  => 110,

        "SMTP"  => 25,

        "FTP"   => 21

);

?>

What im looking for here, is a safe way to encrypt these passwords and/or WHM hash... So that if someone hacks into the server that the site is on, they wont be able to see the WHM username/password/key.

Any ideas?

[WingedPanther]

You can have the hash in your code. Never have the password in your code. Use a strong hash like SHA-512.

[phpforfun]

needs to be decrypt-able though...

And unfortunately.. the password needs to be in it, its like setting up vbulletin almost, you need the password to your database in it.

[WingedPanther]

Don't get rooted, then.

[phpforfun]

Thank you for your intelligent input, I will be sure to apply that to the settings... :thumbdown:

[Feral]

One option is using a system like phpShield or any number of other php encryption options that encrypt your code in the files and the server de-crypts them using a module written for that purpose.

Another is (much less secure) encrypting the config file then including it into the needed file by opening it with fopen and running it through your own decryption function. The down side to this is that the decryption function would reside on the save server as the encrypted file.

Unless you are able to store the file in a system directory that can not be accessed from the outside.

So basically the only viable option is to use a server based encryption method, any other way will allow someone to access the decryption method making it pointless

[phpforfun]

Feral said:

One option is using a system like phpShield or any number of other php encryption options that encrypt your code in the files and the server de-crypts them using a module written for that purpose.

Thats not encryption, thats obfuscation ;-) And I cant have the customers do that every time they change the password. I thought about it though.

Feral said:

Another is (much less secure) encrypting the config file then including it into the needed file by opening it with fopen and running it through your own decryption function. The down side to this is that the decryption function would reside on the save server as the encrypted file.

Thought about that too, it is less secure, but it seems like one of the only options...

Feral said:

Unless you are able to store the file in a system directory that can not be accessed from the outside.

Yeah, I was just gonna have it require you to keep the config files below the public_html folder... but still, what if someone gets in via FTP?

Feral said:

So basically the only viable option is to use a server based encryption method, any other way will allow someone to access the decryption method making it pointless

Yeah, pretty much... HuMmMmMm.....

I was thinking I could have the main website, have an API that the clients would connect to and it would authenticate the password, or atleast get the access key..

Quote

1) user types pw
2) it grabs the pw, and the servername or IP
3) goes to http://mysite.com/va...IP=ip_of_server => This returns a key
4) The key gained above will assist in decrypting the password they typed

But this means that if my site goes offline, they are screwed, and this is actually a cell phone based website, so it would take forever to do the above method...

Any other ideas?

[Feral]

I would have to say that if they got access to your ftp, then what else do they already have access to. If they where able to guess or brute force your ftp password then chances are your other passwords are not any more secure.

I'm sure you aware of the point that there is no absolute security in anything, if they can get in one way they will find a way in another way too.

As they say in development, if you worry about every what if you will end up with a program that is impossible to use and that will never see the light of day because there will always be one more what if. ;)

[phpforfun]

Yeah, I understand that, but basically.. I have like 50 ppl wanting to buy this product, until they heard that the password is in plain text in a php file.. so im trying to find a way to do something about it