SBS2003

Member
Aug 14, 2004
20
0
151
I searched so I apologize if this is somewhere else ---

Okay,

So those of us with dedicated servers have all been good boys & girls right?

We disabled Telnet -
We disabled SSH1
We disabled Root Login (SSH)
Some of us even disabled standard IP login from SSH and routed it to a different IP.
Even some of us went further and changed the SSH port all together to some obscure port.

Okay, now that we are all paranoid and sit in the dark waiting for "them" to come get us (yes, me included) here is my question -

We did all of this great stuff, however cPanel still allows root login. If someone tried a dictionary attack/brute force attack against cPanel login, they would have a chance at getting our root password.

Does anyone know of a way to block root login for cPanel? (Obviously this could cause issues like what we had with the new license agreement but I believe root login still should "go away" from cPanel also.)

Suggestions? Thoughts?


Can you disable root login (WHM) but allow the regular scripts to run as root as needed?

(Please note that I am not talking about SSH Root login, but logging in as root in WHM)

Thanks!
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.
 

digitard

Well-Known Member
Aug 13, 2004
70
0
156
I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure. Plus I change my WHM login every month to something completely different that the only copy of is on a piece of paper somewhere in my home.
 

SBS2003

Member
Aug 14, 2004
20
0
151
Dynamic DNS

chirpy said:
AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.
I thought about this, however being only on dynamic DNS at my office that wouldn't work.

But good idea!
 

Finley Ave

Active Member
Feb 28, 2004
37
0
156
San Ramon, CA
Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.
 

PWSowner

Well-Known Member
Nov 10, 2001
2,901
4
343
ON, Canada
Finley Ave said:
Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.
Very true. If passwords are at least 12 characters long and contain a variety of characters, it is quite secure.

Between upper and lower case letters, numbers, and symbols, there are more than 1021 possibilities with 12 characters. Make it 16 characters and you have around 1030 possibilities. If a script could do 1 billion checks/second, it would take 89 trillion years to check all 16 character combinations.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Which is why paranoia over root access, while healthy, can go too far. Nearly every root compromise that I have ever come across has been through privilege escalation or stack smashing vulnerable applications from a user account. Since you're logging into the account over SSL your pretty much protected from sniffing, and if you use key authentication to login through SSH, you're doing as much as you really need to (apart from sensible security measures - keeping up to date, not using an EOL OS, etc), IMHO WRT your root password. No harm in using scripts that search the logs for bruteforce attacks, though.
 

digitard

Well-Known Member
Aug 13, 2004
70
0
156
I agree on the password. The steps I did was I disabled root login, and removed SSH access from everyone but myself and made both my general password and my root password a combination of uppercase, lowercase, numbers and special characters from 6 to 12 digits long and I change it at least every month.
 

galantina

Member
Sep 2, 2004
15
0
151
I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure.
As I am informed WHM does not log login attempts and failures and therefore BFD is not able to detect them, meaning that WHM is not protected with BFD. I STRONGLY suggest to cpanel programmers to start logging login atempts somewhere so we could detect brute force and block it. I tried talking to them once, but nothing happened. If we all start complaining maybe something happens now.

Regards to all of you and cpanel stuff.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Accesses to WHM, failed or successful, are logged in /usr/local/cpanel/logs/*. However, if you login through the secure ports (as you should) then the IP address is lost through stunnel (as has been highlighted before) so you cannot block on IP address unless the system were rewritten using SSL through apache for WHM/cPanel access instead of stunnel.