Security Advisor - Reserved, Invalid, and Misconfigured Usernames

[cPanelMichael]

Hello Everyone!

Upcoming builds of cPanel & WHM versions 70 and 72 will include an update to Security Advisor. As part of the update, a new assessor will scan the system for existing cPanel account usernames that do not conform to current validation requirements. If the assessor finds a username that does not conform to the validation requirements, you will see one of the messages below as part of the Security Advisor State Change notification, or when scanning your system manually using WHM >> Security Advisor:

The following reserved usernames were found in use by cPanel users
The following cPanel usernames were found to have an email alias to a reserved username
The following cPanel usernames were found to be invalid
The following cPanel usernames were found to be misconfigured

The following document was created to explain what these validation requirements are, and to offer instructions on what to do if you encounter an invalid, reserved, or misconfigured username on your cPanel system:

Reserved, Invalid, and Misconfigured Usernames - cPanel Knowledge Base - cPanel Documentation

You can adjust notification settings for Security Advisor State Change and other alert types using WHM >> Contact Manager.

For anyone interested in the code utilized with the new assessor, feel free to review the change on the Security Advisor GitHub page:

Warn users about invalid, reserved, and misconfigured usernames. · CpanelInc/[email protected]

Let us know if you have any questions.

Thanks!

 

[sparek-3]

Why is this suddenly an issue?

 

[cPanelMichael]

Why is this suddenly an issue?

Hello @sparek-3,

Most notably, we expanded the list of reserved usernames as part of TSR-2017-0006. If a reserved username was created before it was added to the expanded list, it will still exist on the system. Additionally, the new assessor will help if the list of reserved usernames is expanded again in the future.

Thank you.

 

[sparek-3]

Hmm.

How often do you expect the reserved username list to change now, going forward?

Changing usernames is really a horrible idea. Granted, sometimes it may be necessary, but it should never be the first step in resolving an issue. There is too much tied to a username.

I know we have some usernames that probably no longer fit the profile, start with a number, use hyphens. And while I understand that this username syntax can't be used on new accounts, it's nice that they were grandfathered in. It sounds as if these will now have to be changed.

 

[cPanelMichael]

Hello @sparek-3,

There are no active cases to add additional usernames to the reserved list at this time. It's generally something that happens as part of a security audit, a newly discovered security issue, or to address an issue with a cPanel & WHM feature.

Thank you.