As a System Administrator, I would like to be able to provide a modern captcha (or equivalent) hurdle for certain sensitive, enduser features; presumably this would be a handy tool for defense especially on moderate to hyper dense shared webservers
In the event that botnets and to a increasingly lesser degree, humans, are finding new ways to attempt to get a twist on certain sensitive areas, and sometimes successfully, perhaps you can consider adding a CAPTCHA- ideally modern q&a -option to toggle on/off for cPanel endusers.
From within preferences :: security, a user could presumably invoke a CAPTCHA wall to shield the most usually hijacked arenas as a secondary or tertiary layer of protection. It might seem far-fetched, of course, but we've all seen pretty wild things happen, or be attempted, in recent years. Primary options to include for this aspect would be-
FileManager
Password | Security
Email Accounts
Databases (creation & phpmyadmin)
DNS editing
Add-on & Subdomains
###############################
Possibly more. Of course this likely wouldn't be mandated by default though I'd imagine that some power-users, admins, with packed in webservers might love to have this option as an additional hurdle to activate. Ideally you could enable this from WHM and allow the interior hosted accounts to enable protection per feature. Or, you could proactively activate each safeguard, server-wide from WHM for the more heavy-handed approach.
Thanks for your time & consideration.
I like this idea 
Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.
https://features.cpanel.net/topic/webmail-2fa
https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection
Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.
https://features.cpanel.net/topic/webmail-2fa
https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection
after >10 failed login attemps and for specific account/IP only?
after >10 failed login attemps and for specific account/IP only?
Of course captcha code will help. 10 attempts per ip is too much of a chance to get hacked, since you can fake whatever ip, and this issue will only get worse with ipv6. And we admins are all in for security. It MUST have a captcha code or a login whitelist.
Of course captcha code will help. 10 attempts per ip is too much of a chance to get hacked, since you can fake whatever ip, and this issue will only get worse with ipv6. And we admins are all in for security. It MUST have a captcha code or a login whitelist.
Yes, agreed with a captcha, since it is not those hard ones to solve, which usually is a pain!
Something a little simpler than those:
"write down this entire text of mixed words and letters".
Please cPanel, do consider and implement this.
Any chance we could get it any time soon? When?
Thanks,
Yes, agreed with a captcha, since it is not those hard ones to solve, which usually is a pain!
Something a little simpler than those:
"write down this entire text of mixed words and letters".
Please cPanel, do consider and implement this.
Any chance we could get it any time soon? When?
Thanks,
For the love of all that is holy! Please, add this feature. My blacklist can wrap around the world 19 times.
For the love of all that is holy! Please, add this feature. My blacklist can wrap around the world 19 times.
Captch on CPANEL is now inevitable. Over 90% of instances of website hacking can be saved. As is it only due to the compromise of cpanel password through trojan that a website generally gets hacked.
Captch on CPANEL is now inevitable. Over 90% of instances of website hacking can be saved. As is it only due to the compromise of cpanel password through trojan that a website generally gets hacked.
Anything that challenges the automatic scanners would do great. I am receiving a lot of emails regarding the failure attempts to login into the system (obviously, whm). And when the password authentication mode as on, a lot of logs seen in /var/log/secure and bruteforce database.
The scanners come from various rotating IP addresses across the world, and we do not have enough idea whether to blacklist those IPs.Captcha are urgent both in whm and cpanel login screens.
Anything that challenges the automatic scanners would do great. I am receiving a lot of emails regarding the failure attempts to login into the system (obviously, whm). And when the password authentication mode as on, a lot of logs seen in /var/log/secure and bruteforce database.
The scanners come from various rotating IP addresses across the world, and we do not have enough idea whether to blacklist those IPs.Captcha are urgent both in whm and cpanel login screens.
It will be very nice to add Google Recapthca (or strong captcha) to login CPANEL/WHM/WEBMAIL and decide where enable and decide after failed/incorrect login the ip is ban.
It will be very nice to add Google Recapthca (or strong captcha) to login CPANEL/WHM/WEBMAIL and decide where enable and decide after failed/incorrect login the ip is ban.
I also have over 2000 failed logins from distributed botnets (2-3 attempts from a single IP)
this is hard to combat, captcha would at least limit the login attempts to ftp logins
I also have over 2000 failed logins from distributed botnets (2-3 attempts from a single IP)
this is hard to combat, captcha would at least limit the login attempts to ftp logins
Captcha is never a solution. Most brute force bots have auto captcha solvers nowadays
Captcha is never a solution. Most brute force bots have auto captcha solvers nowadays
Yeah I second some of those other posts - Google's reCAPTCHA would be fantastic, HOWEVER, brute force attacks would POST straight to the URL as opposed to filling out the login page and passing the [re]CAPTCHA, so I think a nonce would also be required (which it may already have?).
-KP
Yeah I second some of those other posts - Google's reCAPTCHA would be fantastic, HOWEVER, brute force attacks would POST straight to the URL as opposed to filling out the login page and passing the [re]CAPTCHA, so I think a nonce would also be required (which it may already have?).
-KP
I would like a Question and Answer captcha instead of a graphical captcha. This way i or a client could set a secret answer and would not have to rely on an external source to provide protection. Also this avoids having to set up an account to use a third parties captcha. All graphical captchas will be broken over time. However the Q and A captcha is rarely broken except when people use easily googled questions.
Note: The Root owner of a WHM/cPanel should always be able to see this so they could not get locked out by a client.
In fact cPanel could define the question so a user could not use 2 + 2 = what, or something similar.
WHM and/or cPanel Login Example:
Username:
Password:
Enter Pass Code:
I would like a Question and Answer captcha instead of a graphical captcha. This way i or a client could set a secret answer and would not have to rely on an external source to provide protection. Also this avoids having to set up an account to use a third parties captcha. All graphical captchas will be broken over time. However the Q and A captcha is rarely broken except when people use easily googled questions.
Note: The Root owner of a WHM/cPanel should always be able to see this so they could not get locked out by a client.
In fact cPanel could define the question so a user could not use 2 + 2 = what, or something similar.
WHM and/or cPanel Login Example:
Username:
Password:
Enter Pass Code:
It is very much required. We know of two cases where very likely the bots were able to log into the users cpanel or webmail, using their compromised passwords, and add forwarders.
This really ups the ante for security.
If cPanel is not able to to provide this functionality, its viability as an email server for a serious business client reduces to quite an extent. Our clients may be forced to migrate to Google apps etc. just for lack of this feature.
It is very much required. We know of two cases where very likely the bots were able to log into the users cpanel or webmail, using their compromised passwords, and add forwarders.
This really ups the ante for security.
If cPanel is not able to to provide this functionality, its viability as an email server for a serious business client reduces to quite an extent. Our clients may be forced to migrate to Google apps etc. just for lack of this feature.
Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.
https://features.cpanel.net/topic/webmail-2fa
https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection
Hey folks! I just wanted to let you know that, while I understand where the root of this request was 5 years ago, this request is unlikely to be picked up at this point. We recommend, instead, enabling two-factor authentication for cPanel and WHM users, adding your vote to the two-factor authentication request for webmail, and enabling cPHulk to block bots before they can get too far in their attack.
https://features.cpanel.net/topic/webmail-2fa
https://documentation.cpanel.net/display/70Docs/cPHulk+Brute+Force+Protection
Replies have been locked on this page!