cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Ability to disable main FTP account when using 2FA

kabatak shared this idea 2 years ago
Open Discussion

As a cPanel user and sysadmin, I would like the main FTP account (that comes enabled by default with every newly created cPanel account) to have the ability to be disabled on a per user basis.

This is because when you enable the 2FA feature on a cPanel account, only the cPanel UI (i.e., /cpanel) gets protected by 2FA. The FTP account (which uses the same credentials with the cPanel account) is not protected by 2FA.

E.g., an attacker (that knows the cPanel credentials) can by-pass 2FA by simply using FTP. Once logged-in to FTP, they have full access to all files inside /home/user/ directory.

Having the ability to disable the main FTP account solves this issue.

Replies (2)

photo
1

This is a great fix for shared host accounts that don't support SFTP and SSH.

photo
1

This should be a no brainer. We have written a cron that runs many times a day to remove those cpanel user ftp accounts. We have to give our clients access to their cpanel for emails, stats, etc. BUT we don't want to give them FTP access to our code. Having this controllable in the cpanel set up would be much cleaner and more reliable than our approach.

Leave a Comment
 
Attach a file