cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Captcha Code in WHM and cPanel Login page

ZHostings shared this idea 8 years ago
Open Discussion

i was enable option Send notification when brute force user is detected:


after this i am getting 20-35 emails everyday which says about Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx


we can determine that some people or hackers always try to login in whm, cpanel and webmail etc.. by automated script,

so if Captcha Code is added in Login Page then we can stop automated login by script and hackers easily. and Save CPU usage

Best Answer
photo

Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.


https://features.cpanel.net/topic/webmail-2fa

https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection

Comments (13)

photo
1

after >10 failed login attemps and for specific account/IP only?

photo
1

Of course captcha code will help. 10 attempts per ip is too much of a chance to get hacked, since you can fake whatever ip, and this issue will only get worse with ipv6. And we admins are all in for security. It MUST have a captcha code or a login whitelist.

photo
1

Yes, agreed with a captcha, since it is not those hard ones to solve, which usually is a pain!

Something a little simpler than those:

"write down this entire text of mixed words and letters".

Please cPanel, do consider and implement this.

Any chance we could get it any time soon? When?

Thanks,

photo
1

For the love of all that is holy! Please, add this feature. My blacklist can wrap around the world 19 times.

photo
1

Captch on CPANEL is now inevitable. Over 90% of instances of website hacking can be saved. As is it only due to the compromise of cpanel password through trojan that a website generally gets hacked.

photo
1

Anything that challenges the automatic scanners would do great. I am receiving a lot of emails regarding the failure attempts to login into the system (obviously, whm). And when the password authentication mode as on, a lot of logs seen in /var/log/secure and bruteforce database.


The scanners come from various rotating IP addresses across the world, and we do not have enough idea whether to blacklist those IPs.Captcha are urgent both in whm and cpanel login screens.

photo
1

It will be very nice to add Google Recapthca (or strong captcha) to login CPANEL/WHM/WEBMAIL and decide where enable and decide after failed/incorrect login the ip is ban.

photo
2

I also have over 2000 failed logins from distributed botnets (2-3 attempts from a single IP)


this is hard to combat, captcha would at least limit the login attempts to ftp logins

photo
1

Captcha is never a solution. Most brute force bots have auto captcha solvers nowadays

photo
1

Google's no captcha recaptcha could be the best solution. Easy to integrate and best in class protection.

photo
1

It will mitigate if not solve the problem, there are captchas no bot can break.

photo
photo
2

Yeah I second some of those other posts - Google's reCAPTCHA would be fantastic, HOWEVER, brute force attacks would POST straight to the URL as opposed to filling out the login page and passing the [re]CAPTCHA, so I think a nonce would also be required (which it may already have?).


-KP

photo
1

Yes, and those posts would fail because the captcha is missing.

As all basic captchas work.

photo
1

As all basic captchas *must* work.

photo
2

You could add a timer to slow down the cowbow on the form.

With this and lots of other things, I've manage to have a mail form without captcha and zero spam.

Not much use today, but efficient.

  1. if (time() - ( isset($_SESSION['last_submit'])?$_SESSION['last_submit']:0 )< 30) {

    header('Location: contact.php?e='.urlencode('Trop de demandes. veuillez patienter au moins 30 secondes')); exit;

    }

photo
photo
1

I would like a Question and Answer captcha instead of a graphical captcha. This way i or a client could set a secret answer and would not have to rely on an external source to provide protection. Also this avoids having to set up an account to use a third parties captcha. All graphical captchas will be broken over time. However the Q and A captcha is rarely broken except when people use easily googled questions.


Note: The Root owner of a WHM/cPanel should always be able to see this so they could not get locked out by a client.


In fact cPanel could define the question so a user could not use 2 + 2 = what, or something similar.


WHM and/or cPanel Login Example:


Username:

Password:

Enter Pass Code:

photo
1

It is very much required. We know of two cases where very likely the bots were able to log into the users cpanel or webmail, using their compromised passwords, and add forwarders.

This really ups the ante for security.

If cPanel is not able to to provide this functionality, its viability as an email server for a serious business client reduces to quite an extent. Our clients may be forced to migrate to Google apps etc. just for lack of this feature.

photo
1

Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.


https://features.cpanel.net/topic/webmail-2fa

https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection

photo
1

Thanks for the sugestion but...


A 2FA really solves but creates much resistance in customer base (let's be honest it's secure, but it's annoying to take your smartphone every time you need to login in something).


And today many attacks bypass the brute force detector using large amounts of botnets easily obtained with simples zombie devices scan around the web. Even the CSF anti-bruteforce that can mitigate part of this with anti-distributed attack protections fails against the millions zombies devices whats is used around the world.


A two-factor could be a better protection agains this attacks in situations where use of 2FA is not viable.

photo
1

These are to different features. I'm voting for CAPTCHA.


Please hear us out, we don't want 2FA but CAPTCHA. They're two completely different things and you know it.


Thanks

photo
Leave a Comment
 
Attach a file