Ability to exempt root from cphulkd's account based lockouts
Completed
With cphulk enabled, login to accounts that are subject to bruteforces like root will be constantly disabled.
We need a kind of whitelist to only block, for certains users, logins based only on source ip and not on username.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
The functionality in the below screenshot has been added to v63.9999.89 and later.
We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466
The functionality in the below screenshot has been added to v63.9999.89 and later.
We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466
Your initial feature request entry seems a bit confusing to me and mentions whitelists where it seems you don't really intend to mention whitelists. I've renamed the title of this feature request to be in line with what I *think* you're trying to convey.
In essence, you'd like an exemption list where certain user accounts are exempt from the "account level" brute force lockouts and are only subject to infracting "ip based" brute force lockouts. Specifically, you're looking to do this with the root user.
Are you not concerned with the security implications of essentially disabling a significant portion of cPHulkd's brute force protection for the root user? You would be opening the server up to be vulnerable to a distributed brute force attack. This seems very scary and concerning to me. I'd like to hear others' thoughts on this.
Your initial feature request entry seems a bit confusing to me and mentions whitelists where it seems you don't really intend to mention whitelists. I've renamed the title of this feature request to be in line with what I *think* you're trying to convey.
In essence, you'd like an exemption list where certain user accounts are exempt from the "account level" brute force lockouts and are only subject to infracting "ip based" brute force lockouts. Specifically, you're looking to do this with the root user.
Are you not concerned with the security implications of essentially disabling a significant portion of cPHulkd's brute force protection for the root user? You would be opening the server up to be vulnerable to a distributed brute force attack. This seems very scary and concerning to me. I'd like to hear others' thoughts on this.
Root should never be locked out, period. At the very least, root should be excluded from account lockout by default.
The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.
With the upcoming changes to block offending IPs on the firewall level, there's no need to be locking legitimate admins (usually with dynamic IPs) out of their own servers.
Root should never be locked out, period. At the very least, root should be excluded from account lockout by default.
The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.
With the upcoming changes to block offending IPs on the firewall level, there's no need to be locking legitimate admins (usually with dynamic IPs) out of their own servers.
The problem people are running into (and I believe is the sole purpose of this request) is the fact that the root account gets locked out due to distributed brute force attempts against it which causes the legitimate user to be locked out as well.
Those not under a static IP address have no choice but to wait for an opening for the user to become unlocked in order to access WHM. Those in an enterprise environment have issues with supporting this as well as it creates unnecessary noise from their clients because they have no access to WHM and are then blaming the support team for its downfalls.
I second this feature request and it can't come sooner than I want it to...
The problem people are running into (and I believe is the sole purpose of this request) is the fact that the root account gets locked out due to distributed brute force attempts against it which causes the legitimate user to be locked out as well.
Those not under a static IP address have no choice but to wait for an opening for the user to become unlocked in order to access WHM. Those in an enterprise environment have issues with supporting this as well as it creates unnecessary noise from their clients because they have no access to WHM and are then blaming the support team for its downfalls.
I second this feature request and it can't come sooner than I want it to...
The functionality in the below screenshot has been added to v63.9999.89 and later.
We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466
The functionality in the below screenshot has been added to v63.9999.89 and later.
We are working on adding the following the upcoming v64 release. This is being tracked as CPANEL-11466
This is now in a public build of version 64, 64.0.4, which is in the CURRENT tier. Update to version 64 now to take a look!
https://documentation.cpanel.net/display/64Docs/64+Release+Notes#id-64ReleaseNotes-cPHulkrootuserlockoutprotection
This is now in a public build of version 64, 64.0.4, which is in the CURRENT tier. Update to version 64 now to take a look!
https://documentation.cpanel.net/display/64Docs/64+Release+Notes#id-64ReleaseNotes-cPHulkrootuserlockoutprotection
Replies have been locked on this page!