API tools faq
paste
lyfsy

Encryption at Rest for WHMCS

lyfsy
Jan 22nd, 2020
310
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.91 KB | None | 0 0
raw download clone embed print report
  1. Encryption at Rest for WHMCS
  2. Has anyone successfully been able to configure encryption at rest for their WHMCS installations? With the growing number of data breaches, and WHMCS knack for storing things in plain text, we are considering adding additional security to our systems but are afraid that E@R will break WHMCS. Has anyone successfully implemented this and if so, how has your success been with it? Any issues with WHMCS not playing well?
  3. ++++++++++++++
  4. list of top cheapest host http://Listfreetop.pw
  5.  
  6. Top 200 best traffic exchange sites http://Listfreetop.pw
  7.  
  8. free link exchange sites list http://Listfreetop.pw
  9. list of top ptc sites
  10. list of top ptp sites
  11. Listfreetop.pw
  12. Listfreetop.pw
  13. +++++++++++++++
  14.  
  15.  
  16. TIA!
  17. Agent Black Hosting LLC
  18. Check us out on Facebook!
  19. Proudly hosting clients since 2007
  20. What are you trying to Encrypt?
  21. - Passwords.
  22. - Personal Information.
  23. - Protocol (HTTP)
  24.  
  25. it would be difficult to add encryption decryption at software level as we dont have access to whmcs software as sourcecode is obfuscated.
  26. Rest is security hardening which you can perform at server level (Database, WEB)
  27. Ahmed Kamil, SonicACE Solutions
  28. Premium Windows Hosting - Affordable Vmware Cloud Servers - SaaS Reseller Hosting Solutions
  29. MS Exchange, Lync, Sharepoint
  30. This would be best as a first party feature as they would be able to insure everything is properly encrypted and decrypted as data would need to be rapidly encrypted and decrypted to allow the app to function (e.g. create invoices, allow signups, allow customers to update info, search customer invoices, services, etc.). To insure the key is not readable by just looking at files or memory a TPM and potentially HSM should be used to help insure secure storage, loading and unloading of crypto keys.
  31. You really need to know what you're wishing to encrypt then in addition to this knowing the caveats of the encryption. As an example if you are wanting to encrypt all user information at the database level then you're no longer going to have the same search capability in MySQL.
  32.  
  33. make money 3d printing
  34. z domain integrator
  35. hosting m&a multiples
  36. headerads.com
  37. btcvic.com
  38. hosting 2020 oscars
  39. t host parker
  40. If you really need this encrypted then we're going to be talking about changing the requirements as well as to maybe using CryptDB in order to still be able to perform SQL queries against the data. WHMCS already encrypts the most important information (passwords, credit cards, api keys etc) and beyond that you are going to severely limit the usability if you go further. You can of course do encryption at the file system level but that is about protecting cases where the drives are taken not about the underlying applications.
  41. You are in over your head.
  42.  
  43. Encrypting your database won't help if your end points are vulnerable. Seeing WHMCS is a simple 1-1 direct connection to the database, I'm not sure at which point you can insert encryption and make it be secure.
  44.  
  45. The hacker can simply run the API and voila... everything there!
  46.  
  47. GetClients
  48. Has anyone successfully been able to configure encryption at rest for their WHMCS installations? With the growing number of data breaches, and WHMCS knack for storing things in plain text, we are considering adding additional security to our systems but are afraid that E@R will break WHMCS. Has anyone successfully implemented this and if so, how has your success been with it? Any issues with WHMCS not playing well?
  49.  
  50. TIA!
  51. VimHost >> 30 Days Backup | cPanel + LiteSpeed + JetBackup | DMCA FREE!
  52. RTMP/HLS - VPS - Dedicated | Providing Customer First Web Hosting since 2003 ~ Premium Hosting in Toronto, Canada ~ 151 Front Street
  53. Off the wall suggestion...
  54.  
  55. But maybe, don't use a public facing billing system?
  56.  
  57. Set up a Linux box in your office and run a billing system off of it. Firewall off your internal network from the WAN side of your connection.
  58.  
  59. Sure, you can't access the billing system from outside of your office. And you probably won't be able to use WHMCS in such a set up. But if security is paramount, wouldn't this be the better solution?
  60. I believe there was one hosting company here before that created their own forms and stuff for the frontend and used the WHMCS api in getting the data.
  61.  
  62. That will probably be easier than encrypting the whmcs database
  63.  
  64. Quote Originally Posted by SPaReK View Post
  65. Off the wall suggestion...
  66.  
  67. But maybe, don't use a public facing billing system?
  68.  
  69. Set up a Linux box in your office and run a billing system off of it. Firewall off your internal network from the WAN side of your connection.
  70.  
  71. Sure, you can't access the billing system from outside of your office. And you probably won't be able to use WHMCS in such a set up. But if security is paramount, wouldn't this be the better solution?
  72. VimHost >> 30 Days Backup | cPanel + LiteSpeed + JetBackup | DMCA FREE!
  73. RTMP/HLS - VPS - Dedicated | Providing Customer First Web Hosting since 2003 ~ Premium Hosting in Toronto, Canada ~ 151 Front Street
  74. Thanks all for the thoughts and comments. Mainly what we were considering is fully encrypting the database information. While the end points are as secure as we can make them without yanking the network cable, we were hoping to add an additional layer of protection to the data. You all have given us much to consider, thank you.
  75. Agent Black Hosting LLC
  76. Check us out on Facebook!
  77. Proudly hosting clients since 2007
  78. Well, the issue is going to be, even if you encrypt the database as it is stored... WHMCS is going to have to be able to decrypt it. Which means the key to do such will have to exist within the WHMCS installation some where. So if someone hacks into your WHMCS installation... regardless of how the database is encrypted... the key will be there in the WHMCS installation, so they would be able to decrypt the database.
  79. If WHMCS isn't decrypted the information in the database. Then users are just going to get gobbly-gook when they look at the data retrieved from the database.
Advertisement
Comments
  • User was banned
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!