The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New feature in version 11.28: Security Policy

Discussion in 'Security' started by MelanieSeibert, Oct 14, 2010.

  1. MelanieSeibert

    Joined:
    Jul 23, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    In the upcoming 11.28 version, cPanel/WHM will include the Security Policy feature.

    This will allow WHM and cPanel account owners to:
    • Set a maximum password age. (Once the password hits that age, it must be reset.)
    • Require users from unrecognized IPs to answer security questions before they can access the server's cPanel, WHM, and webmail interfaces.

    If you have questions or comments about this feature, feel free to enter them here. Thanks!
     
  2. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    End user support documentation

    Can you provide a zip file with screen capture images and proposed knowledgebase article?
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    There is a white paper on the security policy at this location:

    Software Releases - cPanel Inc.

    I'm attaching a screen print of the area in WHM to this message.
     

    Attached Files:

  4. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    Hi, do this policy apply to whm login as root too? Will be great to have those features enabled at the end user so is just an option the end user can enable/disable but sounds like enabling it will be applied to everyone including root whm without option to disable it individually.

    Also there is any api command to bypass the policy? Most billing programs allow users reset the cpanel password through them but most probably will fail if the password strength is weak, and as far as i know there isnt a way to match the password strenght of those programs with the one cpanel use.

    Thanx!
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Yes; the security policy applies to all users, including root. Connecting to the API should not pose any difficulty provided that your third-party applications are configured to authenticate using the Remote Access Key (hash) that is obtained via WebHost Manager.
     
  6. manokiss

    manokiss Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    571
    Likes Received:
    0
    Trophy Points:
    16
    Thanx for the reply but i dont meant that....

    if this is only a switch to enable server wide for all users is not good really, will be great to enable the option and each user then enable/disable it through they cpanel as they like. Forcing all of them to change passwords time to time is not good, is a good idea and good practice but many clients will not like you force them.

    About the api...i mean if the password strength is enabled and the billing system attempt to change the password with something not stronger like the one cpanel want is simply erroring, somehow will be great the api allow you use any password no matter the password strength level you have configured in cpanel and only force the user to that strong level if they attempt to change through cpanel directly.

    Not sure if i was clear
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If you would like a specific enhancement to the Security Policies implementation I recommend posting a detailed feature request in the following forums section: Feature Requests for cPanel and WHM - cPanel Forums

    For more verbose information, including applicable API implications, please reference the following PDF document entitled Description of the cPanel Security Policy Plugin System.

    Related documentation and navigational menu paths:
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You can force a single user to change their password, or multiple users. It's not a single 'force everyone to change their passwords at once' mechanism.

    The minimum password strength feature has been in the product for a couple years now. Established 3rd party applications should already be able to handle interaction with this feature. That of course can only be answered by your application developer. The threshold is enforced at the API level as well.
     
  9. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    What would be considered an "unrecognized" IP address? (ie: Where does the list of recognized IPs get created and managed?)

    If it's a manual list, then no way. With a server of a hundred different customers, it would be impossible to constantly maintain a list of IPs where the customer can login from. :)

    If it's automated... then how does the automation work?

    Thanks.
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    The first time the user logs into cPanel, it grabs that IP as their default IP and asks them to set a series of security questions. If they log in from a different IP into cPanel in the future, they will then be required to answer those security questions in order to log in. At that point, the new IP is also added to the list for recognized IPs. If they are unable to answer the security questions, they will be unable to log in unless someone resets their security questions and IP login (via root).
     
  11. electric

    electric Well-Known Member

    Joined:
    Nov 5, 2001
    Messages:
    697
    Likes Received:
    1
    Trophy Points:
    18
    That sounds pretty good.

    Hopefully it won't result in too many customers asking for a manual reset.

    Will they be able to select their own security questions?

    I've seen lots of "secure" websites with this kind of setup, but they provide the list of questions.. and they are often ones that I would not remember.

    So a good way to do this would be to ask the customer to provide their own questions and answers. (ie: Don't use a drop down list of "premade" questions. Or if you do, please still let them enter their own "other" questions.)

    Thanks!
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You can create your own questions. I've attached a screen print of the cPanel area.
     

    Attached Files:

  13. BambiB

    BambiB Registered

    Joined:
    Nov 3, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    This is another nonsense feature.

    Recent research into password strength concludes that frequently changing passwords is a WASTE OF TIME.

    Why doesn't cPanel put effort in making current features usable? Like that butt-ugly "error log" that forces the use of an html window (and doesn't offer the option to write errors to a user error file) --- doesn't even wrap text and has to be refreshed for every update?

    TALK ABOUT USELESS!

    Instead of getting a fix, we get MORE USELESS FEATURES!

    [SIZE=""]This is another "solution" in search of a problem.[/SIZE]

    [SIZE=""]This is another "solution" in search of a problem.[/SIZE]

    Why doesn't the cPanel dev team focus their attention on fixing the BUGS that have already been reported, instead of adding new (useless) "features" that nobody needs?
     
    #13 BambiB, Nov 11, 2010
    Last edited by a moderator: Nov 11, 2010
  14. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    The security policy doesn't just encourage changing passwords. It also limits log ins (when that option is enabled) to only the user's IP along with needing security questions to be answered if logging in from a different IP. How precisely is it useless to require IP-based logins and security questions to be answered if you log in from a different IP than normal?

    Certainly, if you are dissatisfied with the current features available, you should post feature requests for changes to the existing features. Such feature requests are taken seriously when done in a civil manner.
     
  15. kotakomputer

    kotakomputer Member

    Joined:
    Mar 21, 2010
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Jakarta, Indonesia
    Dear,

    The 4 Security Questions make my Client confuse! They must create the 4 security questions before they can login. This security model is unusual. I think better CPanel provides a common solution, like: Captcha.

    Overall, the password strengh is a very good implementation. Keep the good works!

    Regards
     
  16. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    With regards to the IP and the addition of other IPs should the user log in from another location, at what point would purging take place? I"m guessing that it would just append the new IP number to the list of allowed IP numbers but will there be a way for the user to REMOVE IP numbers from the list? For example, lets say they are no longer working with a particular web designer and then need to remove his access from the site.

    The concern that I have with appending IP numbers to a list is that the list may get excessively long over time. At what point would it purge old IP numbers (say if they haven't logged in within 3 months, or 6 months etc)?
     
  17. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please keep in mind that each security policy is optional and you are not requried to toggle all of them at once, but rather you may selectively decide which options to enable and use based on your individual business needs and unique hosting environment.

    Thank you for the feedback. :)
     
  18. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please be aware that cPanel & WHM makes no statement or recommendation of how frequently you should or should not change a password nor is it implied that frequent changes are or are not a good idea. I believe that before deciding on security configurations the server administrator should always personally research each available option to weigh the potential benefits and any disadvantages and take sufficient time to consider how each configuration option may help or hinder what he or she is seeking to accomplish.

    Frequently changing a password will not help increase security over weak or already low strength passwords. By using the security policies in cPanel & WHM 11.28 you can ensure users are forced to choose a secure password, of which they may use for any length of time that is allowed by the server administrator.

    For in-depth discussions on security configurations and best practices please refer to the cPanel and WHM Security area of the cPanel Forums.
     
  19. rnawky

    rnawky Member

    Joined:
    Jan 13, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I noticed if you check the box marked "XML-API and JSON-API requests", "Password Age", and "Password Strength" it makes changing your password impossible, and as a result locks everyone out of their account (including root).

    When you try to change your password (as required by cPanel now) the "Password Strength" indicator returns "AJAX Error: Try Again" every time you enter a character into the password field.

    I was able to get back into WHM by logging in via SSH and manually changing the root password.

    Just a heads up!
     
  20. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This will be fixed in the next 11.28 maintenance build.
     
Loading...

Share This Page