cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Ability to exempt root from cphulkd's account based lockouts

Giorgio Bonfiglio shared this idea 7 years ago
Completed

With cphulk enabled, login to accounts that are subject to bruteforces like root will be constantly disabled.


We need a kind of whitelist to only block, for certains users, logins based only on source ip and not on username.

Best Answer
photo

The functionality in the below screenshot has been added to v63.9999.89 and later.

75b0c80b823fe43340739db7b131b32d


We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466

Replies (5)

photo
1

Your initial feature request entry seems a bit confusing to me and mentions whitelists where it seems you don't really intend to mention whitelists. I've renamed the title of this feature request to be in line with what I *think* you're trying to convey.


In essence, you'd like an exemption list where certain user accounts are exempt from the "account level" brute force lockouts and are only subject to infracting "ip based" brute force lockouts. Specifically, you're looking to do this with the root user.


Are you not concerned with the security implications of essentially disabling a significant portion of cPHulkd's brute force protection for the root user? You would be opening the server up to be vulnerable to a distributed brute force attack. This seems very scary and concerning to me. I'd like to hear others' thoughts on this.

photo
2

Root should never be locked out, period. At the very least, root should be excluded from account lockout by default.


The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.


With the upcoming changes to block offending IPs on the firewall level, there's no need to be locking legitimate admins (usually with dynamic IPs) out of their own servers.

photo
3

The problem people are running into (and I believe is the sole purpose of this request) is the fact that the root account gets locked out due to distributed brute force attempts against it which causes the legitimate user to be locked out as well.


Those not under a static IP address have no choice but to wait for an opening for the user to become unlocked in order to access WHM. Those in an enterprise environment have issues with supporting this as well as it creates unnecessary noise from their clients because they have no access to WHM and are then blaming the support team for its downfalls.


I second this feature request and it can't come sooner than I want it to...

photo
1

The functionality in the below screenshot has been added to v63.9999.89 and later.

75b0c80b823fe43340739db7b131b32d


We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466

photo
1

This is now in a public build of version 64, 64.0.4, which is in the CURRENT tier. Update to version 64 now to take a look!


https://documentation.cpanel.net/display/64Docs/64+Release+Notes#id-64ReleaseNotes-cPHulkrootuserlockoutprotection

Replies have been locked on this page!