The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM default Root login Should be Changed

Discussion in 'General Discussion' started by MasterChief, Mar 4, 2004.

  1. MasterChief

    MasterChief Registered

    Joined:
    Feb 23, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    All,

    WHM shouldn't have root as default login. We do our best to lockout direct root access to the server but WHM remains an issue. With this configuration, a brute force cracker already knows the username, which makes hacking the server a much easier task, as opposed to having to guess both the username and password.

    Hoping that people @ cPanel will consider this as a security risk.

    Tks,
    MasterChief
     
  2. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I second that request.

    Does anyone third it?
     
  3. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    ;) I do
     
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    If you do a good hard to crack password, whatya worrying about?
     
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Thats true, yet i have seen several customers even after repeated reminders use easy passwords for root logins. This feature could help them atleast.
     
  6. jmweb

    jmweb Well-Known Member

    Joined:
    Aug 8, 2003
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    i agree, root shouldn't be the user or it should be editable.
     
  7. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Just a thought:

    1) Set root's password to a long random string every ten minutes. So you never use root. Or if you do use root set it to a good password and pummel your users if they use dumb passwords.

    (kind of a, you could spend a million dollars on the best security in the world but if someone opens the vault for the robbers it won't matter much)

    2) set up a reseller account to act as root so you never have to login as root

    3) always use SSL
     
  8. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    That's right to the point. Nothing wrong with root being called root. Security is up to the users. Could always disable root access which would require loging in twice to be root.
     
  9. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    I think you are thinking about SSH access. This thread is talking about WHM access.

    Allowing a user defined port for secure WHM access would be nice too. ;)
     
  10. unfiltered

    unfiltered Member

    Joined:
    Mar 16, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    While I’d like to be able to login as something other then root, doesn’t WHM need root permissions to do things like recompile apache, etc.? Are these connected?

    also, given that you HAVE to login as root, shouldn’t use of ssl be a must when logging into WHM? I'm saying remove the ability to login to whm via http!
     
  11. dennis

    dennis Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore
    plesk does not use root as default login, instead it uses admin. And this admin can only performance server administration and other related task... more of a scale down root's access.
     
  12. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Oops. I'm allowed to make 1 mistake. ;)


    I agree. It would be nice to be able to choose our own port.
     
  13. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    That can be done if you make yourself a reseller.

    Brenden
     
  14. phoenixdarkdirk

    Joined:
    Feb 23, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I never use root to login to WHM, but there are two problems:

    1. One of the reasons that I don't login as root is that my root password doesn't work to login. I have to change it to something shorter/easier before I can login via HTTP Auth to WHM. (Annoying bug!!)

    2. WHM/Cpanel news doesn't work unless you login as root. I've missed a few important announcements due to this.


    If anyone has any hints on getting around these, I'm sure a lot of people would be interested!!

    Andy
     
  15. dennis

    dennis Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Singapore

    no thats not what i meant.

    if u use plesk before you will know.

    For users to access WHM, they login as root.

    For users to access plesk Server admin (= WHM), they login as admin, not root
     
  16. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16
    Perhaps Nick could create like 2 level login system which could be enabled in the Tweak Settings:

    If you enable it you will have to create another user with pass, and when you try to Login to WHM, you first have to login with "anotheruser" and if that is successful you still have to login as root.

    By making this an option, people that want more security would have to login twice (more secure) and those that dont want more hassle, coud still use 1 level (root only) login to WHM

    :)
     
  17. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Semi-solution:

    Here is what we have done on our server:

    Close port 2086 and 2087. (hey.. what...??? read on!)
    We have cgi script called open_sesame (hmm.. what an
    interesing name) and what it does is,.. opens the ports
    2086 and 2087 and initiates a crond that is set with a
    time interval of 25 minutes. Once the 25 minutes are up,
    the crond kicks in and closes those ports.
    The open_sesame script is placed in password protected directory of our choice, with the username and password
    or our choice.
    While it doesn't provide total security,.. it certainly keeps
    the Brute force heckers out as they can't even get to the
    Authentication Certificate, let alone the Prompt for username and Password.
    So the brute force guys have a very narrow window of time.. I'd give them an avg of maybe 2 hours a day of open time to try and brute force.
    It's not the best way to block them,.. but it certainly much better than the current root access.

    Just my $0.02

    -Alon.
     
  18. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Security isn't about allowing one user and not allowing another, it's about enforcing strict passwords, keeping up to date with system updates (including cpanel updates) and checking repeatedly to see if someone's actually managed to break in. In short, it's about KNOWING what's going on with your server, not changing the default user.

    Should root not be used? I don't see why not as long as root has a decent password applied to it.. So, you disable root logins, great. The default user needs to be the same on every machine, so you've now got the problem where you just open up another user to be hacked.. Brilliant.

    Instead of disabling root in whm, why not actually secure the box? Lock it down to where only specific ip's can login, make root rather hard to crack, actually ENFORCE password rules (use something like jtr to check your customer's passwords, and tell them if they're easily guessed. If they don't change them, then disable them until they are changed. Harsh? Yes, but it's a lot less harsh than having your system hacked because some kiddie guessed some user's password was 8675309 :P
     
  19. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    I've just added complexity to the root login.
    Yes.. security must be enforced by means of hard passwords,. but given enough resources, a hacker can brute force a password by running multiple servers from various sites all attacking the same site.

    By adding a password protected directory with a user name and password as an outside layer, You are now forced to go through two stages of password verification.

    The only difference is,. .you don't know the username I picked for the password directory. And that, is the great advantage of my locking mechanism.

    If by weired unthinkable way you got through the username and password of the protected directory,. then you are still encountered by the hard to break root access.

    This is very much similar to guessing a wheele group username and it's password. And even if you are lucky to go that far,.. you stilll don't have root access... and you need to work the root password.

    I personally sleep better knowing that no one can brute force the root password on my machine, as they don't know the open_sesame directory name, they don't know the username and they don't know the password.
    That plus hard root password.. and you just can't beat that kind of security!

    another $0.02 of me... damn.. up to $0.04.. I'm a big spender :)))

    -Alon.
     
  20. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    How about locking down WHM after X number of invalid logon attempts for X number of minutes. X could be configurable via WHM.

    That should discourage brute force cracking attempts.

    There would need to be a reset flag settable via SSH login. That way if an admin set the numbers to something relatively secure (say 2 attempts before being locked for 60 minutes) they could still do their job despite lack of coffee and caps lock conflicts.
     
Loading...

Share This Page