Add Security Layer with Captcha Code in WHM and cPanel Login page

[skyitech]

i enable option Send notification when brute force user is detected:

after this i am getting 10-12 emails everyday which says about Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx

we can determine that some people or hackers always try to login in whm, cpanel and webmail etc.. by automated script,
so if Captcha Code is added in Login Page then we can stop automated login by script and hackers easily.

[monarobase]

Even re-captcha has been cracked. A captcha would stop some people and would even stop all of the automatic bots to begin with but if most hosts activated a captcha then the bots that try to guess passwords would just update their system.

I'm not against having this as an option but I do not vote for it as we would not use it.

[cPanelDavidG]

How is a captcha more effective and more friendly than enabling the existing IP restrictions functionality?

[openadvertising]

I absolutely vote for this function. In the last 8 hours I have had a script make 36 attempts to my server. Back in November, I had my WHM hacked and 44 out of 80 websites were hacked. Downtime was 40 hours, cost me a lot of money and several clients. Since then security has been beefed up to the maximum.
One solution would be to block a range of IPs but this can affect genuine traffic that use dynamic ranges. To use a captcha would prevent almost all scripts. It won't prevent a seasoned hacker that wants to get it in, nothing does.

All I can say is, I don't want to experience another episode of what happened to me before. Trust me, it's very stressful.

[cPanelDavidG]

I absolutely vote for this function. In the last 8 hours I have had a script make 36 attempts to my server. Back in November, I had my WHM hacked and 44 out of 80 websites were hacked. Downtime was 40 hours, cost me a lot of money and several clients. Since then security has been beefed up to the maximum.
One solution would be to block a range of IPs but this can affect genuine traffic that use dynamic ranges. To use a captcha would prevent almost all scripts. It won't prevent a seasoned hacker that wants to get it in, nothing does.

All I can say is, I don't want to experience another episode of what happened to me before. Trust me, it's very stressful.

May I ask why the IP restrictions functionality with security questions is not being used as a preventative measure? A user isn't locked out if they aren't logging in from something resembling their usual IP address, they are just prompted to answer security questions which, if answered correctly, will grant that IP access to that account.

I'm just not understanding how a machine-readable CAPTCHA is better than user-friendly IP restrictions (not as easily bypassed). If they login from a new IP far outside their regular IP range, they just answer their security questions and are logged in. This narrows things down to spear phishing where a hosting customer is infected with malware and compromised that way.

[9xlinux]

IP restrictions is not useful for lot of users because 70% of users may not have dedicated IP, The captcha is more user friendly then security question because each user need to define their security question but captcha is predefined.
There should be option after like after x wrong login attempts auto display captcha.

[cPanelDavidG]

IP restrictions is not useful for lot of users because 70% of users may not have dedicated IP, The captcha is more user friendly then security question because each user need to define their security question but captcha is predefined.
There should be option after like after x wrong login attempts auto display captcha.

I'm still not understanding how a machine-readable captcha "improves" security.

However, if you want, we can start a discussion about having a setting for Security Questions that will make the last octet a wildcard instead of a specific IP to better accommodate those on dynamic IPs.

[alphawolf50]

Here's in interesting thought: Google's reCAPTCHA gathers words from scanning old books -- the words its OCR software can't read, it sends to the reCAPTCHA system. These words are further obscured to make it more difficult for spambots to decipher. Which leads us to the question: If the technology exists that allows spambots to consistently read reCAPTCHA even with the added distortion, why doesn't Google use the same technology in their OCR software?

I'm still not understanding how a machine-readable captcha "improves" security.

What rate of success do you consider to be "machine-readable"? A security researcher in Jan. 2011 said that reCAPTHCA could be cracked ~20% of the time (which Google denied). That should mean that the average brute force attempt will take 5x longer. How does slowing down an attack not improve security, especially if you track and automatically ban excessive failures? Further, if an account sees multiple failures in a short range of time from a variety of IP's, it can be assumed that the account is under attack. The account login can be temporarily disabled or only disabled for certain netblocks in this case. A system that causes bots to fail 80% of the time independent of the credentials provided only improves the efficacy of such a system.

IP restrictions are good -- but I for one have always been opposed to being forced to enter security questions to "protect" my account. While security questions are good for protecting against automated attacks, they actually weaken security in a targeted attack due to the popularity of social networking. It is far too easy to find a domain-owner's name/email address, then use that to find personal information on social networking sites. Answers to common questions regarding your high school's city or the first/middle/maiden name of certain family members are easily obtained.

On the subject of user-friendliness: On a system I designed, I set a cookie on the user's system containing a hashed random value. If they passed the reCAPTCHA, they would not be presented with the captcha again. If the cookie is ever presented with incorrect credentials, it is destroyed and will no longer allow a user to bypass the captcha system. It is a nice blend of user-friendliness and slowing brute-force attacks.

[cPanelDavidG]

What rate of success do you consider to be "machine-readable"? A security researcher in Jan. 2011 said that reCAPTHCA could be cracked ~20% of the time (which Google denied). That should mean that the average brute force attempt will take 5x longer. How does slowing down an attack not improve security, especially if you track and automatically ban excessive failures? Further, if an account sees multiple failures in a short range of time from a variety of IP's, it can be assumed that the account is under attack. The account login can be temporarily disabled or only disabled for certain netblocks in this case. A system that causes bots to fail 80% of the time independent of the credentials provided only improves the efficacy of such a system.

Makes sense, and the brute force detection would fall under existing cPHulkD Brute Force protection functionality.

IP restrictions are good -- but I for one have always been opposed to being forced to enter security questions to "protect" my account. While security questions are good for protecting against automated attacks, they actually weaken security in a targeted attack due to the popularity of social networking. It is far too easy to find a domain-owner's name/email address, then use that to find personal information on social networking sites. Answers to common questions regarding your high school's city or the first/middle/maiden name of certain family members are easily obtained.

Given that the questions are easily customized (just highlight the question and begin typing your own), would you advise verbiage be displayed in the cPanel UI emphasizing this attack vector and encouraging custom questions? Admittedly, the average person may not immediately realize this attack vector exists.

On the subject of user-friendliness: On a system I designed, I set a cookie on the user's system containing a hashed random value. If they passed the reCAPTCHA, they would not be presented with the captcha again. If the cookie is ever presented with incorrect credentials, it is destroyed and will no longer allow a user to bypass the captcha system. It is a nice blend of user-friendliness and slowing brute-force attacks.

Interesting, and if our cookie spoofing protection is enabled, stealing the cookie doesn't do any good for getting into that account.

[WireNine]

I wanted to suggest this as a feature request for cPanel login screen. After 2-3 failed login attempts, the cpanel login screen should start showing a CAPTCHA to prevent bot attacks on the cpanel login. I know there is a feature in ConfigServer Firewall which blocks IP addresses based on the number of login failures, but this would be different and instead of blocking IP addresses it would simply help prevent such bot attacks.

[sharrondenice]

How is a captcha more effective and more friendly than enabling the existing IP restrictions functionality?

In my opinion, they are TWO different types of security measures, and should not be compared.

Captcha should be implemented IN ADDITION to IP restrictions because...

1. Depending on the captcha system used it will elminiate almost all automated/scripted brute force attacks.
2. It adds in an ADDITIONAL layer of defense against crackers BEFORE login is even attempted.

Enabling ONLY IP restrictions is limiting because...

1. It may be possible for crackers to access the Q&A information (?)
2. It is currently not eliminating MULTIPLE attempts to crack into the access panels since the security measure starts AFTER login (lowering the maximum failures will hender the admin)
3. Also, does the security questions apply for cPanel users? How can they set their own security questions? If the cPanel users can't create their own security questions then I think we all realize that IP restriction is only a luxury for the admin. If Captcha's were put in place for all users, users with weak passwords would be less likely to have their accounts cracked into.

Captcha almost eliminates the attempts before login and if they do get in from an unrecognizable IP they are then given questions to answer. I see the two security measures as making cPanel/WHM more impenetrable for crackers.

So can we have both? ;-)

[cPanelDavidG]

All very good points, just wanted to clarify something though:

Also, does the security questions apply for cPanel users? How can they set their own security questions? If the cPanel users can't create their own security questions then I think we all realize that IP restriction is only a luxury for the admin. If Captcha's were put in place for all users, users with weak passwords would be less likely to have their accounts cracked into.

Yes, security questions do apply to cPanel users. The first time they login to cPanel after this is enabled on the server, they are prompted to enter questions and answers. They enter their own questions just by typing out their own questions (my personal recommendation to avoid social media being an attack vector) or they can select a question we suggest from the drop-down.

Security questions can be changed any time the user is successfully logged in by the user via their cPanel or Webmail interfaces (depending on what type of account they are logging into).

[Joriz]

This don't do much as most of those captcha's are just filled in by mechanical Turks in third world countries. I think that Two-Factor Authentication is safer.

[cPanelDavidG]

This don't do much as most of those captcha's are just filled in by mechanical Turks in third world countries. I think that Two-Factor Authentication is safer.

The general tone of this thread seems to be an acknowledgement that CAPTCHA is not 100% effective, nor is it near 100% effective. However, the benefits of implementation still outweigh the hidden costs of using arguably more effective solutions like IP checking since many people are on ISPs that use dynamic IPs that change from request-to-request, even across different /8s. The IP checking solution, while arguably more effective, incurs a cost of increased resources needed to be devoted to customer service to address these customers on wildly dynamic IPs (which as we know from the strict vs. loose cookie IP settings, happens more frequently than we would all like) - hence the desire for an alternative, even if lesser effective, solution that incurs less hassle upon the hosting customer.

[cPanelDavidG]

The more I research this, the more I am wondering if this is the wrong solution for a very valid problem.

For example, the latest security research brings Google's CAPTCHA down to 1% effectiveness: How a trio of hackers brought Google’s reCAPTCHA to its knees | Ars Technica and it's only a matter of time before this happens yet again.

I have an idea for an alternative solution that I think is better. Instead of displaying a CAPTCHA (which is now effectively not useful at all as a security measure), why not impose 2-factor authentication after x failed login attempts? This could be forced similar to the way security questions must be entered after that setting is enabled server-wide. Instead of entering questions though, people could sign up to something like Google Authenticator (which only requires the customer to have a cell phone) and then if they failed to login x times, they need to enter their second factor authentication to continue.

I only mention Google Authenticator as an example since it's free, doesn't require the purchase of specialized hardware and is relatively easy for most people to use, but pretty much any two-factor authentication should be able to be very effective here against hacking attempts.