The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM User Login can be anything?

Discussion in 'General Discussion' started by hostingmetro, Dec 31, 2003.

  1. hostingmetro

    hostingmetro Active Member
    PartnerNOC

    Joined:
    May 30, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I've installed two Cpanel boxes but for some reason, the WHM login (http://hostname/whm) can be anything. Usually I enter root and password but I accidently typed "roo" and it still accepted it. Then I tried just "r" and it was fine too. It accepts any username so long the root password is correct.
    How do I fix this or disable the root login and change it to another login?
     
  2. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    I had never noticed this before, but my gut reaction is that it is no big deal since anyone knows that root is the logon name anyway.

    As long as your root password is secure, it should not matter.
     
  3. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    It was mentioned a while back in here. The username for root can be anything, but like GotHosting said, anyone trying to get to your server would know the username if it mattered anyway. That's why it's very important to use a good password, and to change it regularly.
     
  4. al555

    al555 Registered

    Joined:
    Sep 30, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Does anyone know how to change the username and password for this login?
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    You can not change it.
     
  6. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    To change the password, look for "Change Root Password" under "Server Setup". This should be changed regularly.
     
  7. al555

    al555 Registered

    Joined:
    Sep 30, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Oh, I mean changing the username/password for that particular /whm login something like what .htpasswd does for password protected directory. But it looks like the username can be anything so I guess it won't work. It all depends on root password.
     
  8. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Correct!
     
  9. boatdesign

    boatdesign Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    158
    Likes Received:
    0
    Trophy Points:
    16
    It seems like it would be a lot better to have two things that need to be guessed by a brute force attacker then only one, wouldn't it?

    I've always disabled root login to ssh and required you to login as [someusername] with somepassword and then su- to root with a second password.

    Having only one password required for WHM and not even requiring a username seems to defeat this.

    What am I missing?
     
  10. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    True, but that's why root password should be a good one. What's the difference between 2 8 character codes (name and password) or 1 16 character one? That's why root password should be at least 12 characters and contain more than just letters and numbers. A good password changed monthly is pretty safe.
     
  11. AceWeb

    AceWeb Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    FYI:

    For root WHM, the only username that will not work is "root". Looks like cpanel has fixed it not to allow any other usernames.
     
  12. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    There is a thread about that somewhere in here, but as said earlier in this thread, it makes no difference because any hacker knows the username anyway. Just another reason why the password has to be a good one.
     
  13. AceWeb

    AceWeb Well-Known Member

    Joined:
    Aug 9, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Absoultly! Compleatly agree with you.

    I just posted in case someone was using a name other than root and wondered why it would no longer work.
     
  14. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    I don't know thats a good fix.
    I would prefer to have a different name to log in.
    the name password combination is better in my opinion.
    Theoretically speaking, you can set a brute force attack on the server from various places/servers trying one password after another since you already know the 'root' username.
    Having a different name would certainly increase the the magnitude of security as the Name could be anything and then the same permutation of passwords would be kept, but since attackers would not know the user name,.. their attack will be practically impossible.
    Why not offer a NEW fix to YES change the root user to a different name? All other rules still apply.

    Just my 2 cents.

    -Alon.
     
  15. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    That would be a good security idea. Don't know if it's possible though. To log in to shell as root you have to use root. That's how Linus works. WHM may be able to work around that.
     
  16. SupermanInNY

    SupermanInNY Well-Known Member

    Joined:
    Jul 19, 2003
    Messages:
    255
    Likes Received:
    0
    Trophy Points:
    16
    Note two different things:

    1. Log into WHM.
    2. Run as root

    Two separate issues.

    Login into WHM is a prompt that can be utilized just like in any password protected directory.
    Once you are logged in,.. then you are already connected as root.

    In that way,. you can name yourself whatever you want to log into the WHM, it has NOTHING to do with the WHEEL group.

    It is just a gatekeeper for the WHM, so all name/password combination rules would apply.

    So here is a suggestion:
    Move WHM into a password protected directory, provide a password protected directory prompt and then either continue with the regular root/password prompt, or just allow entry as root.
    I wouldn't mind login in twice for security purposes.
    I'd rather have a dual protection and a slight inconvinience than a easy to enter, relative simple to brute force.

    -Alon.
     
Loading...

Share This Page