How to prevent brute force attacks on Cpanel Login

[baabaa]

My web hoster is not particularly responsive, and so I'm having to learn more of this than I probably should given my expertise. Any help will be greatly appreciated. I had someone break into my cpanel administrative account over the weekend, set up the forwarder to forward copies of my email to him, and then use this as a method to attempt to steal my domain name. Foruntately I was able to stop this.

I've figured out how he did it, and I want to stop it from happening again. The cpanel login has a 'feature' that does not require a login name, i.e. if I enter just my password I get in. Plus, there is no 'brute force' protection on the password. I had a bad password (6 letters) and the guy was able to brute-force his way to a login, set my forwarder and then go about stealing my domain.

Is there a way to both fix the no login name feature, and prevent further brute force attacks from being successful? I've changed the password to something much more complicated, but I'm worried that's not enough and I'm pretty certain this bugger will be back later.

Any ideas?

Thanks.

[jayh38]

unfortunately, if you are not on a dedicated server or whm, alot of options are not available. I highly doubt your provider would disable the ability of password logins of a whm simply because its convenient.

What he could and should be doing is providing a descent firewall to prevent this from the beginning. I suggest looking for another provider.

[baabaa]

I'm confused. How would a firewall stop this? The crook in this case simply went straight to my cpanel login at www.xxxx.com/cpanel and then ran his script to brute-force the login. I login through this same mechanism, so how would a firewall prevent this without also preventing me from loggin in?

Thanks.

[serversphere]

There are some firewalls that work in conjunction with brute force detectors to stop this sort of attack (by banning the IP at the firewall level).

The moderator Chirpy here provides an "all-in-one" solution called ConfigServer Security & Firewall (or CSF). Check out http://www.configserver.com/cp/csf.html for more info.

BFD+APF is another option - see http://rfxnetworks.com for more on this one.

I can say that I've used both and they both work well. In the past few weeks I have started to lean more toward CSF. Chirpy and company are doing fantastic work on it - making it much more than just a firewall. Very nice package.

Good luck! PS - I am sorry that your provider is unresponsive on this. Maybe it's time to look elsewhere?

[BMCK]

Forgive Me if I'm wrong, but, I believe the originial poster is talking about Cpanel Logins...

[procam]

Forgive Me if I'm wrong, but, I believe the originial poster is talking about Cpanel Logins...

You are not listening to what you were told - if a good firewall were in place like CSF firewall he suggested - then the brute force attack would have been halted and the person would have been blocked BEFORE they got access ~

[Manuel_accu]

I would suggest you to check and use APF+BFD, wonderful utils you can a event mail also..

[Manuel_accu]

I am sorry but another product (ConfigServer Security & Firewall (or CSF))is also seems good I have just checked and found it. it has interactive integration with WHM and other extra security functions tooo...

[Dacsoft]

I would suggest you to check and use APF+BFD, wonderful utils you can a event mail also..

I know this is an old thread, but..

unless you have a custom scripts, I don't believe that APF and BFD protect against brute force against Cpanel. I don't know if cfs does or not. Has anybody got it working?

[jayh38]

CSF has a feature that detects login failure. You can adjust this to any amount
of failed attempts you wish to allow. You can also protect htaccess logins as well
as ftp and webmail and any other service that requires a login.

[procam]

God I love CSF! I know which days I gotta work and which ones I dont. Since implementing CSF it does most of my work too

Banning hackers... Banning Hackers, and Watching The Server

Only thing i gotta do now, is unban stupid customers! The ones who lose there damn password and guess 2 hundred times instead of calling support!!

Haha.

OMG I so couldnt agree with you more I had no idea just how many idiot customers I had until CSF !!

[Justin00]

God I love CSF! I know which days I gotta work and which ones I dont. Since implementing CSF it does most of my work too

Banning hackers... Banning Hackers, and Watching The Server

Only thing i gotta do now, is unban stupid customers! The ones who lose there damn password and guess 2 hundred times instead of calling support!!

Haha.

[gorilla]

ban them too

[brianoz]

For the original poster, CSF can be installed in only a few lines of typing - basically a copy-and-paste of a small block of text into the root shell. It can be updated from WHM with a single click and it will save them a LOT of work down the track if they install it. Could even save them from a root exploit!

If they won't install it, I'd recommend changing to someone who DOES run it. A webhoster who runs CSF demonstrates they've been keeping up with the latest in security and is much more likely to help you keep safe. And it's only a matter of a few minutes work to copy an account from one cpanel server to another - including all your email, your web pages, SQL databases, the whole lot (possibly with the exception of mailing lists, which you probably don't use) -- cpanel automates account copying.

You may also want to download a full backup of your account from the backups menu in cpanel, just to cover yourself before moving hosts.

[vodkajoe]

Cheers CSF is great, just installed it, its really really easy and very handy.No excuse for not having this.