The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What more can you do to harden the login process for WHM root?

Discussion in 'General Discussion' started by HastyHost.com, Mar 5, 2008.

  1. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I was wondering what other things can you do to harden the whole login process when logging into your WHM?

    As SSH has many things you can do to stop someone from accessing that directly, such as changing the deafult port, making private/public keys and so on.

    For WHM, you only have (or to my current knowledge) have one method, and that's using a strong password, which I believe is ok to an extent, but I think there should be a way or option that makes it more difficult to get access to root WHM.

    I've heard of the firewall idea of only allowing certain IP's in WHM, but if you have reseller's on your server, it get's stressful having to keep their IP's in the allow file's...

    So I'm just wondering what some of you all would suggest? :confused: :)
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    CSF would provide login- failure detection as well as cphulk for brute force protection and a good rule set with mod security, you would be protected well. Sure its no secure key but it works well.
     
  3. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    So cphulk is automatically installed along with CSF or do i need to manually install that?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,455
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Yeah I have CSF already. Just wish there was other methods of harderen the WHM login process.
     
  6. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    What do you mean? Like - how else would you increase security for WHM without impacting usability?
     
  7. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I mean, apply another step in order to enter WHM root (do not effect reseller whm's though), or a way that could only enable certain PC's to enter WHM root.

    As I know people/hackers can use programs to keep trying to generate the password (or maybe i'm wrong, I'm completely new to that industry) and even if CSF blocks their IP, a good hacker will use a proxy of some sort is what I hear.

    So I'm just wondering when CPanel will somewhat go the route SSH has with allowing private keys/ or just providing the ability to change the default settings that all WHM root have.

    Short and simple, just place more steps to logging into WHM, or setup a way where you can create something that will only allow your system and those you choose to be able to login to WHM root, again, whatever it is, it should not effect reseller's who use WHM on your server.
     
  8. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    If it's root in WHM you're worried about I make this suggestion.

    Generate a random password for root - something containing a lot of symbols, numbers, upper and lower case letters. Maybe 20 characters long. Never log in to WHM as root again.

    Create a new reseller - give it root privileges. Use this account.

    For this reason, when a hacker comes across your WHM they'll ALWAYS go for root. Cause root=god right? hehehe.

    Anyway - by having a stupidly long password there isn't a chance that brute force will succeed in any "reasonable" time frame with CSF blocking failed attempts - even if they start using proxies to bypass the IP challenge.

    A hacker isn't going to know the username - Which now plays the role of root in WHM.

    Problem solved?
     
  9. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Well it's not really solved, but just another way to go about it which I appreciate you trying to do :)

    However, I already use a "crazy" password like that for root :D, just merly copy and paste every time I want to enter WHM.

    But I can see what you mean that it will take hackers a large amount of time or luck to try to break a password that strong.

    But still, I would suggest CPanel to at least look into this idea, as there's no such thing as too secure these days.
     
  10. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Do you know if there would be a way to limit WHM power, like, is there a way to turn off "Terminating" accounts in SSH where you could not do this in WHM, but would rather have to login to SSH to do it if you ever needed to?

    I had a previous experience regarding someone terminating accounts, that's why I'm asking.
     
  11. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Root will always have access to those sorts of things.

    However - if you create a new reseller you can determine what privileges they have (eg. DNS, Terminate accounts, oversell, change MX etc. etc.) in the Reseller Center -> Edit Privileges.

    I think security's biggest thing in relation to this is to use large complex passwords that change often. Every 25-29 days our server passwords change and will never have less than 12 characters.

    CSF helps too as when someone trys (and fails) to log into WHM you can be notified by email. Someone trying to get into root? Firstly disable their IP (if CSF hasnt' already done so) - and set the password to something outrageous if only for a short period of time - or change the password early ahead of schedule.

    Crackers (let's not confuse the two terms) look for easy to guess passwords and a lack of firewall management to break into your system. Once they determine that your username and password combo isn't root and something lame like abc123 - they move onto the next system. Heck, most of the time they aren't even doing it themselves, they just download some program off the intarwebs.
     
  12. HastyHost.com

    HastyHost.com Member

    Joined:
    Jun 20, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Haha , nicely put. So what do you suggest a "username" be set to, such as my main website. Should it have numbers and other characters like the password, I mean, not as crazy I'm sure, but just at least have letters/numbers?

    I know by doing this it will change my MySQL databases already on file, so I'll have to re-config the files to be updated, but I do need to do that soon.

    Thanks for all your help so far :)
     
  13. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    I would make the root-reseller account a name that has nothing to do with an acutal account name/domain name - making it impossible to guess.

    Something like - sootysweepandsue... Cause those three rock of course (don't use that now that I've posted that suggestion). lol.

    Not sure what you mean about the SQL database? You shouldn't be using the MySQL root password for ANYTHING. There isn't any need.
     
  14. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    Just ask your resellers to get dyndns names for the pcs they will use to connect
    Then add those names to the dyndns section of CSF and deny root to everything else
    Easy - no need to update any IPs


    As far as using a reseller login with root priv that wont work for any work you need to do with MySQL - there are some sections of WHM you cant access unless you are truely root

    If CSF is set to block any login for 30 min after 5 bad attempts that pretty much stops any brute force attack -
     
  15. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    CSF temp block for 5 incorrect - perm for more attempts after that is your best bet. If a legit customer does get blocked they will just call you anyway about it (normally - if you provide this support).

    dydns to add host names to the CSF firewall to that port is pretty extreme. I log onto WHM/etc. from 3 devices on a regular basis - my PDA on the otherhand - I doubt can run one of the dyndns client programs.

    But I do like to log in from other sources once in a while if need be. For example, go out for coffee on a sunday (like in 15 minutes from now) - and if I get an email to my PDA - I would go borrow my friend's PC to sort the problem if need be - rather than drive home or to the office.
     
  16. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    So you choose to make your server LESS secure and higher maintenance to suit your needs - thats certainly your option

    you could use your technique of logging in using reseller account for all your coffee shop connections - wow how insecure can you get - and use your dyndns machines for true root access
     
  17. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    Silver I think you misunderstood about the "coffee shop". Firstly - I never said anything about going to a coffee shop or using public terminals. That's called security suicide.

    Friends' places for coffee. I steal all their cake and crackers.. muwha.

    Seriously though - when I do use their systems it's only ever to access my reseller account. And no, not a reseller with root privileges.
     
  18. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    A usb stick is a good option with an utility such as roboform. I use robo at home and on the lappy or use a usb version which is great for foreign pc use if needed.

    My connections are 100 to 1 in favor of ssh vs whm / cpanel for most work. So I use keys on a flah drive along with securecrt and run directly from the stick.
     
  19. nabuhonodozor

    nabuhonodozor Member

    Joined:
    Jun 22, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
  20. darren.nolan

    darren.nolan Well-Known Member

    Joined:
    Oct 4, 2007
    Messages:
    259
    Likes Received:
    0
    Trophy Points:
    16
    This is for SSH is it not? Confused... :confused:
     
Loading...

Share This Page