The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable WHM Root Login?

Discussion in 'General Discussion' started by SBS2003, Apr 21, 2005.

  1. SBS2003

    SBS2003 Member

    Joined:
    Aug 14, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I searched so I apologize if this is somewhere else ---

    Okay,

    So those of us with dedicated servers have all been good boys & girls right?

    We disabled Telnet -
    We disabled SSH1
    We disabled Root Login (SSH)
    Some of us even disabled standard IP login from SSH and routed it to a different IP.
    Even some of us went further and changed the SSH port all together to some obscure port.

    Okay, now that we are all paranoid and sit in the dark waiting for "them" to come get us (yes, me included) here is my question -

    We did all of this great stuff, however cPanel still allows root login. If someone tried a dictionary attack/brute force attack against cPanel login, they would have a chance at getting our root password.

    Does anyone know of a way to block root login for cPanel? (Obviously this could cause issues like what we had with the new license agreement but I believe root login still should "go away" from cPanel also.)

    Suggestions? Thoughts?


    Can you disable root login (WHM) but allow the regular scripts to run as root as needed?

    (Please note that I am not talking about SSH Root login, but logging in as root in WHM)

    Thanks!
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.
     
  3. digitard

    digitard Well-Known Member

    Joined:
    Aug 13, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure. Plus I change my WHM login every month to something completely different that the only copy of is on a piece of paper somewhere in my home.
     
  4. SBS2003

    SBS2003 Member

    Joined:
    Aug 14, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Dynamic DNS

    I thought about this, however being only on dynamic DNS at my office that wouldn't work.

    But good idea!
     
  5. Finley Ave

    Finley Ave Active Member

    Joined:
    Feb 28, 2004
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    San Ramon, CA
    Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.
     
  6. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Very true. If passwords are at least 12 characters long and contain a variety of characters, it is quite secure.

    Between upper and lower case letters, numbers, and symbols, there are more than 10[SUP]21[/SUP] possibilities with 12 characters. Make it 16 characters and you have around 10[SUP]30[/SUP] possibilities. If a script could do 1 billion checks/second, it would take 89 trillion years to check all 16 character combinations.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Which is why paranoia over root access, while healthy, can go too far. Nearly every root compromise that I have ever come across has been through privilege escalation or stack smashing vulnerable applications from a user account. Since you're logging into the account over SSL your pretty much protected from sniffing, and if you use key authentication to login through SSH, you're doing as much as you really need to (apart from sensible security measures - keeping up to date, not using an EOL OS, etc), IMHO WRT your root password. No harm in using scripts that search the logs for bruteforce attacks, though.
     
  8. digitard

    digitard Well-Known Member

    Joined:
    Aug 13, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I agree on the password. The steps I did was I disabled root login, and removed SSH access from everyone but myself and made both my general password and my root password a combination of uppercase, lowercase, numbers and special characters from 6 to 12 digits long and I change it at least every month.
     
  9. galantina

    galantina Member

    Joined:
    Sep 2, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    As I am informed WHM does not log login attempts and failures and therefore BFD is not able to detect them, meaning that WHM is not protected with BFD. I STRONGLY suggest to cpanel programmers to start logging login atempts somewhere so we could detect brute force and block it. I tried talking to them once, but nothing happened. If we all start complaining maybe something happens now.

    Regards to all of you and cpanel stuff.
     
  10. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    As thelinuxguy.info says, hiding ssh and disabling root login is just making hackers delve deeper into your setup.

    Regards,
    Brent
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Accesses to WHM, failed or successful, are logged in /usr/local/cpanel/logs/*. However, if you login through the secure ports (as you should) then the IP address is lost through stunnel (as has been highlighted before) so you cannot block on IP address unless the system were rewritten using SSL through apache for WHM/cPanel access instead of stunnel.
     
Loading...

Share This Page