BULK Password Reset possible - hacked
I have close to 100 accounts on one Cpanel account. Is it possible to Bulk Password Modification all accounts at ONCE?
I don't actually need to know the new password. If I do need to FTP to the site, I will manually change the FTP for the one account.
I want to constantly change the Passwords to defeat any possible hacker attempts (gumblar/malware virus).
You could build a script that uses our APIs to perform the bulk password modification. However, no such feature is built into the cPanel user interface at this time.Originally Posted by gariben
Keep in mind, FTP is an inherently insecure protocol since usernames and passwords are always sent in plain text (which anyone can read). I recommend you and your colleagues switch to FTP over SSL/TLS (FTPS) instead. Many FTP clients support this and it's often just a matter of switching a setting from "FTP" to "FTPS" in the FTP client.
With FTPS, everything is the same except now your username and password is encrypted when it is sent to the server. This means it is harder for others to snoop on your traffic to grab your passwords (not just malware).
Of course, it is prudent to ensure systems that are connecting to your site to upload content are clear of malware.
Additionally, if you find yourself with many FTP accounts that are not being used frequently, you may want to delete those unused FTP accounts.
Is there any way we can disable standard FTP on cPanel servers, and only allow SFTP or FTPS?
Thanks,
- Vince
Unfortunately, not at this time.
David,
With apologies to gariben for further hijacking this thread, can you clarify the following?
Using pure-ftpd in WHM > Ftp Server Config, the option to "Require" TLS Encryption Support should encrypt the password information but the protocol falls back from Prot P to Prot C (unencrypted data channel) after connection. This should effectively disable standard FTP connections and only allow FTPS.
My understanding is the forth coming cPanel 11.25 will include the option to enforce Prot P (TLS 3 - encrypted comm and data channels).
Another option seems to be disabling pure-ftpd to only allow SFTP using the SSH port. Dreamweaver for instance has SFTP capability.
Thanks for pointing out that configuration setting to me. I must have overlooked it when going through the .conf files.
I believe requiring encryption is what you are looking for.
Regarding using only SFTP, keep in mind that FTP accounts you have created do not work with SFTP, only FTP and FTPS. Only your cPanel credentials will work with SFTP. I know our UI says otherwise, and that is a bug that is being resolved (Case 26282)
Thanks David for pointing that out. So far in testing had only used cPanel credentials.
LinkBack URL
About LinkBacks
Reply With Quote
