⚠️ Critical Security Warning: EHCP (Easy Hosting Control Panel) is a legacy panel with known unpatched vulnerabilities. Recent CVEs discovered in 2025 include SQL injection (CVE-2025-50926, CVE-2025-50928) and XSS vulnerabilities (CVE-2025-50859) affecting version 20.04.1.b. Migration to an actively maintained alternative is strongly recommended.
If you must run EHCP, implement comprehensive isolation and hardening measures immediately.
| CVE | Type | Severity | Affected Version |
|---|---|---|---|
| CVE-2025-50926 | SQL Injection | Critical | 20.04.1.b |
| CVE-2025-50928 | SQL Injection | Critical | 20.04.1.b |
| CVE-2025-50859 | Reflected XSS | High | 20.04.1.b |
| CVE | Type | Severity | Description |
|---|---|---|---|
| CVE-2018-13125 | SQL Injection | Critical | Via X-Forwarded-For header in classapp.php |
| CVE-2018-13124 | Reflected XSS | High | Via op parameter in run function |
Impact: Successful exploitation can allow remote attackers to take over the web server without authentication.
Never expose EHCP directly to the internet. Use network isolation:
Option 1: Firewall restrictions (iptables)
# Allow only from management network
sudo iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT # EHCP panel
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
sudo iptables-save > /etc/iptables/rules.v4
Option 2: Firewall restrictions (firewalld)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port="8080" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="8080" protocol="tcp" reject'
sudo firewall-cmd --reload
Option 3: Firewall restrictions (UFW)
sudo ufw allow from 10.0.0.0/24 to any port 8080
sudo ufw deny 8080
sudo ufw enable
Front EHCP with Nginx + Basic Auth:
server {
listen 443 ssl;
server_name ehcp.example.com;
ssl_certificate /etc/letsencrypt/live/ehcp.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ehcp.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# Basic authentication
auth_basic "EHCP Admin Access";
auth_basic_user_file /etc/nginx/.ehcp_htpasswd;
# Rate limiting
limit_req_zone $binary_remote_addr zone=ehcp:10m rate=5r/s;
limit_req zone=ehcp burst=10 nodelay;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'" always;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For ""; # Strip X-Forwarded-For to prevent SQL injection
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Create htpasswd file:
sudo apt install apache2-utils # Debian/Ubuntu
sudo htpasswd -c /etc/nginx/.ehcp_htpasswd admin
EHCP session configuration (/home/ehcp/ehcp_admin/config.php or similar):
<?php
// Session timeout (30 minutes)
ini_set('session.gc_maxlifetime', 1800);
ini_set('session.cookie_lifetime', 1800);
// Secure cookies
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_httponly', 1);
ini_set('session.use_only_cookies', 1);
// CSRF protection
ini_set('session.use_strict_mode', 1);
?>
Generate SSL certificate:
# Let's Encrypt
sudo apt install certbot
sudo certbot certonly --standalone -d ehcp.example.com
# Link to EHCP (if supported) or terminate at reverse proxy
sudo cp /etc/letsencrypt/live/ehcp.example.com/fullchain.pem /etc/ehcp/ssl.crt
sudo cp /etc/letsencrypt/live/ehcp.example.com/privkey.pem /etc/ehcp/ssl.key
sudo chmod 600 /etc/ehcp/ssl.key
Isolate EHCP server in restricted network:
# Example: Private VLAN configuration
# EHCP server should only be accessible from:
# - Management jump host
# - Load balancer (if applicable)
# - Backup server (private network only)
# Block all outbound except essential
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # DNS
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP (updates)
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS (updates)
sudo iptables -A OUTPUT -j DROP
Deploy ModSecurity with custom rules to block known EHCP exploits:
# Install ModSecurity
sudo apt install libapache2-mod-security2 # Debian/Ubuntu
sudo a2enmod security2
sudo systemctl restart apache2
Custom EHCP protection rules (/etc/modsecurity/rules/ehcp.conf):
# Block SQL injection in X-Forwarded-For header
SecRule REQUEST_HEADERS:X-Forwarded-For "@rx (?i)(union|select|insert|update|delete|drop|truncate|exec)" \
"id:1001,\
phase:1,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
msg:'EHCP SQL Injection Attempt in X-Forwarded-For',\
log"
# Block XSS in op parameter
SecRule ARGS:op "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1002,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:htmlEntityDecode,\
msg:'EHCP XSS Attempt in op Parameter',\
log"
# Block common EHCP exploit patterns
SecRule REQUEST_URI "@rx (?i)(ehcp_admin|classapp\.php).*" \
"id:1003,\
phase:1,\
block,\
capture,\
t:none,\
msg:'Direct EHCP Admin Access Attempt',\
log"
Secure EHCP installation:
# EHCP typically installs to /home/ehcp
sudo chown -R root:root /home/ehcp
sudo chmod -R 750 /home/ehcp
# Config files should be more restrictive
sudo chmod 600 /home/ehcp/ehcp_admin/config.php
sudo chmod 600 /home/ehcp/ehcp_admin/*.php
# Web root
sudo chown -R www-data:www-data /home/ehcp/public_html
sudo chmod -R 755 /home/ehcp/public_html
# Prevent execution in upload directories
find /home/ehcp/public_html/uploads -type f -exec chmod 644 {} \;
find /home/ehcp/public_html/uploads -type d -exec chmod 755 {} \;
Disable PHP execution in sensitive directories:
# /etc/apache2/conf-available/ehcp-hardening.conf
<Directory "/home/ehcp/public_html/uploads">
php_flag engine off
RemoveHandler .php .php3 .php4 .php5 .phtml
<FilesMatch "\.(php|php3|php4|php5|phtml)$">
Deny from all
</FilesMatch>
</Directory>
<Directory "/home/ehcp/public_html/temp">
php_flag engine off
</Directory>
EHCP uses MySQL/MariaDB. Secure it:
# Run secure installation
sudo mysql_secure_installation
# Key settings:
# - Set root password
# - Remove anonymous users
# - Disallow root login remotely
# - Remove test database
Configure /etc/mysql/mariadb.conf.d/50-server.cnf:
[mysqld]
# Network security - bind to localhost only
bind-address = 127.0.0.1
skip-networking = 1
# Disable local infile
local-infile = 0
# Secure file handling
secure_file_priv = /var/lib/mysql-files
# Logging
log_error = /var/log/mysql/error.log
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
# EHCP-specific: restrict database user privileges
# Create dedicated user with minimal privileges
Create restricted EHCP database user:
-- Login to MySQL
mysql -u root -p
-- Create dedicated user with minimal privileges
CREATE USER 'ehcp'@'localhost' IDENTIFIED BY 'strong-password-here';
GRANT SELECT, INSERT, UPDATE, DELETE ON ehcp_db.* TO 'ehcp'@'localhost';
FLUSH PRIVILEGES;
-- Do NOT grant: FILE, PROCESS, SUPER, RELOAD, SHUTDOWN
Edit /etc/php/*/apache2/php.ini or /etc/php/*/fpm/php.ini:
[Security]
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,passthru,leak,fopen,readfile
display_errors = Off
log_errors = On
error_reporting = E_ALL
html_errors = Off
[Resource Limits]
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
post_max_size = 20M
upload_max_filesize = 20M
max_file_uploads = 5
[Session]
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1
session.gc_maxlifetime = 1800
[Open Basedir]
open_basedir = /home/ehcp:/tmp:/var/tmp
EHCP installs many services. Disable what you don’t need:
# Check running services
systemctl list-units --type=service --state=running
# Disable unnecessary services (examples)
sudo systemctl stop bind9 # DNS if not used
sudo systemctl disable bind9
sudo systemctl stop postfix # Mail if not used
sudo systemctl disable postfix
sudo systemctl stop dovecot # IMAP if not used
sudo systemctl disable dovecot
sudo systemctl stop pure-ftpd # FTP if not used
sudo systemctl disable pure-ftpd
⚠️ Note: EHCP has irregular update cycles. Check for updates manually:
# Check current version
cat /home/ehcp/version.txt # or similar location
# Check for updates via official channels
# EHCP website: https://www.ehcp.net/
# Manual update (if available)
cd /home/ehcp
sudo wget http://www.ehcp.net/ehcp_latest.zip
sudo unzip -o ehcp_latest.zip
sudo chown -R root:root /home/ehcp
Better approach: Plan migration to maintained alternative
EHCP log locations:
| Log File | Purpose |
|---|---|
/home/ehcp/ehcp_admin/log/ |
Panel operation logs |
/var/log/apache2/ehcp* |
Web server logs |
/var/log/mysql/error.log |
Database errors |
/var/log/syslog |
System messages |
View recent activity:
# EHCP logs
tail -f /home/ehcp/ehcp_admin/log/*.log
# Filter for login events
grep -i "login\|auth" /home/ehcp/ehcp_admin/log/*.log
# Apache access logs
tail -f /var/log/apache2/ehcp_access.log
# Failed requests
grep "403\|401\|500" /var/log/apache2/ehcp_access.log | tail -50
Set up alerts for:
Configure log monitoring:
# /etc/logwatch/conf/logfiles/ehcp.conf
LogFile = /home/ehcp/ehcp_admin/log/*.log
LogFile = /var/log/apache2/ehcp*
Install AIDE or OSSEC to detect file changes:
# Install AIDE
sudo apt install aide # Debian/Ubuntu
sudo dnf install aide # RHEL/Fedora
# Initialize database
sudo aideinit
# Configure EHCP paths in /etc/aide/aide.conf
/home/ehcp/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
/var/www/ehcp/ p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# Schedule daily checks
0 5 * * * /usr/bin/aide --check
Deploy fail2ban for EHCP:
sudo apt install fail2ban
# /etc/fail2ban/jail.local
[ehcp]
enabled = true
port = http,https,8080
filter = ehcp
logpath = /home/ehcp/ehcp_admin/log/*.log
maxretry = 3
bantime = 3600
findtime = 300
Create filter (/etc/fail2ban/filter.d/ehcp.conf):
[Definition]
failregex = ^.*Failed login.*<HOST>.*$
^.*Authentication failed.*<HOST>.*$
^.*Invalid.*<HOST>.*$
ignoreregex =
| Control | Status | Notes |
|---|---|---|
| Panel isolated from internet | ☐ | Behind reverse proxy/firewall |
| WAF rules deployed | ☐ | ModSecurity with EHCP rules |
| X-Forwarded-For header stripped | ☐ | Prevents SQL injection |
| Database user restricted | ☐ | Minimal privileges only |
| PHP hardening applied | ☐ | Disable dangerous functions |
| File permissions secured | ☐ | Config files 600, directories 750 |
| Unnecessary services disabled | ☐ | DNS, mail, FTP if not used |
| File integrity monitoring | ☐ | AIDE or OSSEC |
| Centralized logging | ☐ | Forward to SIEM |
| Migration plan documented | ☐ | To maintained alternative |
If you suspect a security breach:
Isolate the server immediately
# Block all external access
sudo iptables -F
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
Preserve evidence
cp -r /home/ehcp/ehcp_admin/log /root/ehcp-logs-$(date +%Y%m%d-%H%M%S)
cp -r /var/log/apache2 /root/apache-logs-$(date +%Y%m%d-%H%M%S)
mysqldump -u root -p ehcp_db > /root/ehcp-db-$(date +%Y%m%d-%H%M%S).sql
Check for unauthorized changes
# Compare with AIDE database
sudo aide --check
# Look for recently modified files
find /home/ehcp -type f -mtime -7 -ls
# Check for new users
cat /etc/passwd | grep -v nologin | grep -v false
Review database for unauthorized access
SELECT * FROM mysql.user WHERE Host != 'localhost';
SHOW PROCESSLIST;
Change all credentials - Admin passwords, database passwords, API keys
Scan for malware
sudo apt install clamav clamav-daemon
sudo freshclam
sudo clamscan -r /home/ehcp --move=/home/quarantine
Consider full rebuild - Given EHCP’s vulnerability history, a clean migration to a modern panel is recommended
Notify affected users - If customer data was exposed
Recommended modern alternatives:
| Panel | License | Active Development | Notes |
|---|---|---|---|
| CyberPanel | GPL v3 | ✅ Yes | OpenLiteSpeed, WordPress-focused |
| HestiaCP | GPL v3 | ✅ Yes | VestaCP fork, actively maintained |
| DirectAdmin | Commercial | ✅ Yes | Mature, commercial support |
| Plesk | Commercial | ✅ Yes | Enterprise features |
Migration planning: