Add Security Layer with Captcha Code in WHM and cPanel Login page

[skyitech]

i enable option Send notification when brute force user is detected:

after this i am getting 10-12 emails everyday which says about Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx

we can determine that some people or hackers always try to login in whm, cpanel and webmail etc.. by automated script,
so if Captcha Code is added in Login Page then we can stop automated login by script and hackers easily.

[monarobase]

Even re-captcha has been cracked. A captcha would stop some people and would even stop all of the automatic bots to begin with but if most hosts activated a captcha then the bots that try to guess passwords would just update their system.

I'm not against having this as an option but I do not vote for it as we would not use it.

[cPanelDavidG]

How is a captcha more effective and more friendly than enabling the existing IP restrictions functionality?

[openadvertising]

I absolutely vote for this function. In the last 8 hours I have had a script make 36 attempts to my server. Back in November, I had my WHM hacked and 44 out of 80 websites were hacked. Downtime was 40 hours, cost me a lot of money and several clients. Since then security has been beefed up to the maximum.
One solution would be to block a range of IPs but this can affect genuine traffic that use dynamic ranges. To use a captcha would prevent almost all scripts. It won't prevent a seasoned hacker that wants to get it in, nothing does.

All I can say is, I don't want to experience another episode of what happened to me before. Trust me, it's very stressful.

[cPanelDavidG]

I absolutely vote for this function. In the last 8 hours I have had a script make 36 attempts to my server. Back in November, I had my WHM hacked and 44 out of 80 websites were hacked. Downtime was 40 hours, cost me a lot of money and several clients. Since then security has been beefed up to the maximum.
One solution would be to block a range of IPs but this can affect genuine traffic that use dynamic ranges. To use a captcha would prevent almost all scripts. It won't prevent a seasoned hacker that wants to get it in, nothing does.

All I can say is, I don't want to experience another episode of what happened to me before. Trust me, it's very stressful.

May I ask why the IP restrictions functionality with security questions is not being used as a preventative measure? A user isn't locked out if they aren't logging in from something resembling their usual IP address, they are just prompted to answer security questions which, if answered correctly, will grant that IP access to that account.

I'm just not understanding how a machine-readable CAPTCHA is better than user-friendly IP restrictions (not as easily bypassed). If they login from a new IP far outside their regular IP range, they just answer their security questions and are logged in. This narrows things down to spear phishing where a hosting customer is infected with malware and compromised that way.

[9xlinux]

IP restrictions is not useful for lot of users because 70% of users may not have dedicated IP, The captcha is more user friendly then security question because each user need to define their security question but captcha is predefined.
There should be option after like after x wrong login attempts auto display captcha.

[cPanelDavidG]

IP restrictions is not useful for lot of users because 70% of users may not have dedicated IP, The captcha is more user friendly then security question because each user need to define their security question but captcha is predefined.
There should be option after like after x wrong login attempts auto display captcha.

I'm still not understanding how a machine-readable captcha "improves" security.

However, if you want, we can start a discussion about having a setting for Security Questions that will make the last octet a wildcard instead of a specific IP to better accommodate those on dynamic IPs.

[alphawolf50]

Here's in interesting thought: Google's reCAPTCHA gathers words from scanning old books -- the words its OCR software can't read, it sends to the reCAPTCHA system. These words are further obscured to make it more difficult for spambots to decipher. Which leads us to the question: If the technology exists that allows spambots to consistently read reCAPTCHA even with the added distortion, why doesn't Google use the same technology in their OCR software?

I'm still not understanding how a machine-readable captcha "improves" security.

What rate of success do you consider to be "machine-readable"? A security researcher in Jan. 2011 said that reCAPTHCA could be cracked ~20% of the time (which Google denied). That should mean that the average brute force attempt will take 5x longer. How does slowing down an attack not improve security, especially if you track and automatically ban excessive failures? Further, if an account sees multiple failures in a short range of time from a variety of IP's, it can be assumed that the account is under attack. The account login can be temporarily disabled or only disabled for certain netblocks in this case. A system that causes bots to fail 80% of the time independent of the credentials provided only improves the efficacy of such a system.

IP restrictions are good -- but I for one have always been opposed to being forced to enter security questions to "protect" my account. While security questions are good for protecting against automated attacks, they actually weaken security in a targeted attack due to the popularity of social networking. It is far too easy to find a domain-owner's name/email address, then use that to find personal information on social networking sites. Answers to common questions regarding your high school's city or the first/middle/maiden name of certain family members are easily obtained.

On the subject of user-friendliness: On a system I designed, I set a cookie on the user's system containing a hashed random value. If they passed the reCAPTCHA, they would not be presented with the captcha again. If the cookie is ever presented with incorrect credentials, it is destroyed and will no longer allow a user to bypass the captcha system. It is a nice blend of user-friendliness and slowing brute-force attacks.

[cPanelDavidG]

What rate of success do you consider to be "machine-readable"? A security researcher in Jan. 2011 said that reCAPTHCA could be cracked ~20% of the time (which Google denied). That should mean that the average brute force attempt will take 5x longer. How does slowing down an attack not improve security, especially if you track and automatically ban excessive failures? Further, if an account sees multiple failures in a short range of time from a variety of IP's, it can be assumed that the account is under attack. The account login can be temporarily disabled or only disabled for certain netblocks in this case. A system that causes bots to fail 80% of the time independent of the credentials provided only improves the efficacy of such a system.

Makes sense, and the brute force detection would fall under existing cPHulkD Brute Force protection functionality.

IP restrictions are good -- but I for one have always been opposed to being forced to enter security questions to "protect" my account. While security questions are good for protecting against automated attacks, they actually weaken security in a targeted attack due to the popularity of social networking. It is far too easy to find a domain-owner's name/email address, then use that to find personal information on social networking sites. Answers to common questions regarding your high school's city or the first/middle/maiden name of certain family members are easily obtained.

Given that the questions are easily customized (just highlight the question and begin typing your own), would you advise verbiage be displayed in the cPanel UI emphasizing this attack vector and encouraging custom questions? Admittedly, the average person may not immediately realize this attack vector exists.

On the subject of user-friendliness: On a system I designed, I set a cookie on the user's system containing a hashed random value. If they passed the reCAPTCHA, they would not be presented with the captcha again. If the cookie is ever presented with incorrect credentials, it is destroyed and will no longer allow a user to bypass the captcha system. It is a nice blend of user-friendliness and slowing brute-force attacks.

Interesting, and if our cookie spoofing protection is enabled, stealing the cookie doesn't do any good for getting into that account.

[WireNine]

I wanted to suggest this as a feature request for cPanel login screen. After 2-3 failed login attempts, the cpanel login screen should start showing a CAPTCHA to prevent bot attacks on the cpanel login. I know there is a feature in ConfigServer Firewall which blocks IP addresses based on the number of login failures, but this would be different and instead of blocking IP addresses it would simply help prevent such bot attacks.