Disable WHM Root Login?

AFAIK, no. You could certainly restrict IP access to the WHM ports 2086 and 2087 which would go most of the way for you.

 

I had that fear a bit too, but combining APF/BFD and a password comprised of numbers, letters and special symbols I feel that BFD will hopefully catch them before any type of 'chance' would occure. Plus I change my WHM login every month to something completely different that the only copy of is on a piece of paper somewhere in my home.

 

Strong password is the way to go. Better than bfd, alternate port, disabling root login, etc, by far the strongest defense against a password attack is a good password.

 

Very true. If passwords are at least 12 characters long and contain a variety of characters, it is quite secure.

Between upper and lower case letters, numbers, and symbols, there are more than 10[SUP]21[/SUP] possibilities with 12 characters. Make it 16 characters and you have around 10[SUP]30[/SUP] possibilities. If a script could do 1 billion checks/second, it would take 89 trillion years to check all 16 character combinations.

 

Which is why paranoia over root access, while healthy, can go too far. Nearly every root compromise that I have ever come across has been through privilege escalation or stack smashing vulnerable applications from a user account. Since you're logging into the account over SSL your pretty much protected from sniffing, and if you use key authentication to login through SSH, you're doing as much as you really need to (apart from sensible security measures - keeping up to date, not using an EOL OS, etc), IMHO WRT your root password. No harm in using scripts that search the logs for bruteforce attacks, though.

 

I agree on the password. The steps I did was I disabled root login, and removed SSH access from everyone but myself and made both my general password and my root password a combination of uppercase, lowercase, numbers and special characters from 6 to 12 digits long and I change it at least every month.

 

As I am informed WHM does not log login attempts and failures and therefore BFD is not able to detect them, meaning that WHM is not protected with BFD. I STRONGLY suggest to cpanel programmers to start logging login atempts somewhere so we could detect brute force and block it. I tried talking to them once, but nothing happened. If we all start complaining maybe something happens now.

Regards to all of you and cpanel stuff.

 

As thelinuxguy.info says, hiding ssh and disabling root login is just making hackers delve deeper into your setup.

Regards,
Brent

 

Accesses to WHM, failed or successful, are logged in /usr/local/cpanel/logs/*. However, if you login through the secure ports (as you should) then the IP address is lost through stunnel (as has been highlighted before) so you cannot block on IP address unless the system were rewritten using SSL through apache for WHM/cPanel access instead of stunnel.