How to prevent brute force attacks on Cpanel Login

baabaa

Registered
Aug 25, 2006
2
0
151
My web hoster is not particularly responsive, and so I'm having to learn more of this than I probably should given my expertise. Any help will be greatly appreciated. I had someone break into my cpanel administrative account over the weekend, set up the forwarder to forward copies of my email to him, and then use this as a method to attempt to steal my domain name. Foruntately I was able to stop this.

I've figured out how he did it, and I want to stop it from happening again. The cpanel login has a 'feature' that does not require a login name, i.e. if I enter just my password I get in. Plus, there is no 'brute force' protection on the password. I had a bad password (6 letters) and the guy was able to brute-force his way to a login, set my forwarder and then go about stealing my domain.

Is there a way to both fix the no login name feature, and prevent further brute force attacks from being successful? I've changed the password to something much more complicated, but I'm worried that's not enough and I'm pretty certain this bugger will be back later.

Any ideas?

Thanks.
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
unfortunately, if you are not on a dedicated server or whm, alot of options are not available. I highly doubt your provider would disable the ability of password logins of a whm simply because its convenient.

What he could and should be doing is providing a descent firewall to prevent this from the beginning. I suggest looking for another provider.
 

baabaa

Registered
Aug 25, 2006
2
0
151
cpanel login cont'd

I'm confused. How would a firewall stop this? The crook in this case simply went straight to my cpanel login at www.xxxx.com/cpanel and then ran his script to brute-force the login. I login through this same mechanism, so how would a firewall prevent this without also preventing me from loggin in?

Thanks.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
There are some firewalls that work in conjunction with brute force detectors to stop this sort of attack (by banning the IP at the firewall level).

The moderator Chirpy here provides an "all-in-one" solution called ConfigServer Security & Firewall (or CSF). Check out http://www.configserver.com/cp/csf.html for more info.

BFD+APF is another option - see http://rfxnetworks.com for more on this one.

I can say that I've used both and they both work well. In the past few weeks I have started to lean more toward CSF. Chirpy and company are doing fantastic work on it - making it much more than just a firewall. Very nice package.

Good luck! PS - I am sorry that your provider is unresponsive on this. Maybe it's time to look elsewhere?
 

BMCK

Member
May 24, 2006
14
0
226
Forgive Me if I'm wrong, but, I believe the originial poster is talking about Cpanel Logins...
 

procam

Well-Known Member
Nov 24, 2003
122
0
166
BMCK said:
Forgive Me if I'm wrong, but, I believe the originial poster is talking about Cpanel Logins...
You are not listening to what you were told - if a good firewall were in place like CSF firewall he suggested - then the brute force attack would have been halted and the person would have been blocked BEFORE they got access ~
 

Dacsoft

Well-Known Member
Aug 30, 2003
45
0
156
Melbourne, Florida
I would suggest you to check and use APF+BFD, wonderful utils you can a event mail also..
I know this is an old thread, but..

unless you have a custom scripts, I don't believe that APF and BFD protect against brute force against Cpanel. I don't know if cfs does or not. Has anybody got it working?
 

jayh38

Well-Known Member
Mar 3, 2006
1,213
0
166
CSF has a feature that detects login failure. You can adjust this to any amount
of failed attempts you wish to allow. You can also protect htaccess logins as well
as ftp and webmail and any other service that requires a login.
 

procam

Well-Known Member
Nov 24, 2003
122
0
166
God I love CSF! I know which days I gotta work and which ones I dont. Since implementing CSF it does most of my work too :D

Banning hackers... Banning Hackers, and Watching The Server

Only thing i gotta do now, is unban stupid customers! The ones who lose there damn password and guess 2 hundred times instead of calling support!!

Haha.
OMG I so couldnt agree with you more I had no idea just how many idiot customers I had until CSF !!
 

Justin00

Registered
Nov 5, 2006
4
0
151
God I love CSF! I know which days I gotta work and which ones I dont. Since implementing CSF it does most of my work too :D

Banning hackers... Banning Hackers, and Watching The Server

Only thing i gotta do now, is unban stupid customers! The ones who lose there damn password and guess 2 hundred times instead of calling support!!

Haha.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
For the original poster, CSF can be installed in only a few lines of typing - basically a copy-and-paste of a small block of text into the root shell. It can be updated from WHM with a single click and it will save them a LOT of work down the track if they install it. Could even save them from a root exploit!

If they won't install it, I'd recommend changing to someone who DOES run it. A webhoster who runs CSF demonstrates they've been keeping up with the latest in security and is much more likely to help you keep safe. And it's only a matter of a few minutes work to copy an account from one cpanel server to another - including all your email, your web pages, SQL databases, the whole lot (possibly with the exception of mailing lists, which you probably don't use) -- cpanel automates account copying.

You may also want to download a full backup of your account from the backups menu in cpanel, just to cover yourself before moving hosts.
 

vodkajoe

Member
Oct 19, 2006
9
0
151
Cheers CSF is great, just installed it, its really really easy and very handy.No excuse for not having this.
 

Fernis

Well-Known Member
Oct 28, 2006
193
1
168
Would it be ok to run this along with APF+BFD or should it be run without?