Disable WHM Root Login?

[SBS2003]

I searched so I apologize if this is somewhere else ---

Okay,

So those of us with dedicated servers have all been good boys & girls right?

We disabled Telnet -
We disabled SSH1
We disabled Root Login (SSH)
Some of us even disabled standard IP login from SSH and routed it to a different IP.
Even some of us went further and changed the SSH port all together to some obscure port.

Okay, now that we are all paranoid and sit in the dark waiting for "them" to come get us (yes, me included) here is my question -

We did all of this great stuff, however cPanel still allows root login. If someone tried a dictionary attack/brute force attack against cPanel login, they would have a chance at getting our root password.

Does anyone know of a way to block root login for cPanel? (Obviously this could cause issues like what we had with the new license agreement but I believe root login still should "go away" from cPanel also.)

Suggestions? Thoughts?


Can you disable root login (WHM) but allow the regular scripts to run as root as needed?

(Please note that I am not talking about SSH Root login, but logging in as root in WHM)

Thanks!

 

[chirpy]

AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.

 

[digitard]

I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure. Plus I change my WHM login every month to something completely different that the only copy of is on a piece of paper somewhere in my home.

 

[SBS2003]

Dynamic DNS

AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.

I thought about this, however being only on dynamic DNS at my office that wouldn't work.

But good idea!

 

[Finley Ave]

Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.

 

[PWSowner]

Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.

Very true. If passwords are at least 12 characters long and contain a variety of characters, it is quite secure.

Between upper and lower case letters, numbers, and symbols, there are more than 10²¹ possibilities with 12 characters. Make it 16 characters and you have around 10³⁰ possibilities. If a script could do 1 billion checks/second, it would take 89 trillion years to check all 16 character combinations.

 

[chirpy]

Which is why paranoia over root access, while healthy, can go too far. Nearly every root compromise that I have ever come across has been through privilege escalation or stack smashing vulnerable applications from a user account. Since you're logging into the account over SSL your pretty much protected from sniffing, and if you use key authentication to login through SSH, you're doing as much as you really need to (apart from sensible security measures - keeping up to date, not using an EOL OS, etc), IMHO WRT your root password. No harm in using scripts that search the logs for bruteforce attacks, though.

 

[digitard]

I agree on the password. The steps I did was I disabled root login, and removed SSH access from everyone but myself and made both my general password and my root password a combination of uppercase, lowercase, numbers and special characters from 6 to 12 digits long and I change it at least every month.

 

[galantina]

I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure.

As I am informed WHM does not log login attempts and failures and therefore BFD is not able to detect them, meaning that WHM is not protected with BFD. I STRONGLY suggest to cpanel programmers to start logging login atempts somewhere so we could detect brute force and block it. I tried talking to them once, but nothing happened. If we all start complaining maybe something happens now.

Regards to all of you and cpanel stuff.

 

[brentp]

As thelinuxguy.info says, hiding ssh and disabling root login is just making hackers delve deeper into your setup.

Regards,
Brent

 

[chirpy]

Accesses to WHM, failed or successful, are logged in /usr/local/cpanel/logs/*. However, if you login through the secure ports (as you should) then the IP address is lost through stunnel (as has been highlighted before) so you cannot block on IP address unless the system were rewritten using SSL through apache for WHM/cPanel access instead of stunnel.