cPHulk Brute Force Detection Account Exclude Option
cPHulk Brute Force Detection currently is set (when enabled) to block by IP and account, but only IP whitelisting is allowed to exclude certain IPs from block.
The purpose of this feature request is to ask for addition of an Account Exclude area so that one or more accounts could be bypassed for the account-based block. This would mean that an IP could still be blocked for trying to brute force the account, but the account itself would not be locked out when it has been excluded from being blocked.
Additionally, it would be helpful within the area to possibly allow a toggle to "Disable Account Blocks" so that account blocks cannot occur at all, which would mean only IP-based brute force blocks could then occur.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
I would also like to see "root" added to this exclusion list by default. Currently it is far too easy to launch a denial of service against the root account due to the account lock-out feature. Just to be clear, the IP-level blocks should still be in place for every account on this exclusion list, the only way the IP-level blocks should be bypassed is if those IPs are in the IP whitelist.
In lieu of this, "Maximum Failures By Account" could be bumped from 15 to 40 (or more), which makes it much more likely that multiple attackers will be blocked by IP before the entire account is locked out.
I would also like to see "root" added to this exclusion list by default. Currently it is far too easy to launch a denial of service against the root account due to the account lock-out feature. Just to be clear, the IP-level blocks should still be in place for every account on this exclusion list, the only way the IP-level blocks should be bypassed is if those IPs are in the IP whitelist.
In lieu of this, "Maximum Failures By Account" could be bumped from 15 to 40 (or more), which makes it much more likely that multiple attackers will be blocked by IP before the entire account is locked out.
That's a great point as the main reason for the feature request is due to root account being blocked.
New users may not understand how cPHulk Brute Force Protection functions initially, and it is enabled by default during the WHM Initial Setup Wizard. This means that, if root is already being brute-forced, the root user will be blocked relatively soon after completing the wizard.
System administrators unaware of this being the case may not have whitelisted their IPs immediately after completing the wizard to avoid this from happening. As such, having root added to the exclude list by default would ensure the scenario does not occur. Users can then decide to remove root account exclude and whitelist their IPs at a later point if they would like to do so.
That's a great point as the main reason for the feature request is due to root account being blocked.
New users may not understand how cPHulk Brute Force Protection functions initially, and it is enabled by default during the WHM Initial Setup Wizard. This means that, if root is already being brute-forced, the root user will be blocked relatively soon after completing the wizard.
System administrators unaware of this being the case may not have whitelisted their IPs immediately after completing the wizard to avoid this from happening. As such, having root added to the exclude list by default would ensure the scenario does not occur. Users can then decide to remove root account exclude and whitelist their IPs at a later point if they would like to do so.
I completely agree with this feature request. I too experienced the root account lockout shortly after launching my personal cP server as my host gave me recycled IPs. As soon as they went live, the brute-force bots started attacking. I couldn't log in as root for about 3 hours before the lockout expired and I was able to whitelist the IPs I normally come from. Having the ability to specify accounts to be excluded from cPHulk would be a great addition.
If not per-account, then it would also be beneficial to have the root account excluded upon initial setup, and then during the Basic WHM setup phase, be prompted for common IPs for root (or even automatically exclude/whitelist the IP that is being used during the initial setup), then enable the protection for the root account when the settings are saved.
I completely agree with this feature request. I too experienced the root account lockout shortly after launching my personal cP server as my host gave me recycled IPs. As soon as they went live, the brute-force bots started attacking. I couldn't log in as root for about 3 hours before the lockout expired and I was able to whitelist the IPs I normally come from. Having the ability to specify accounts to be excluded from cPHulk would be a great addition.
If not per-account, then it would also be beneficial to have the root account excluded upon initial setup, and then during the Basic WHM setup phase, be prompted for common IPs for root (or even automatically exclude/whitelist the IP that is being used during the initial setup), then enable the protection for the root account when the settings are saved.
I agree however nest security measures for someone with a fixed ip, would be to not exclude root but add thier ip. If root is added by default, maybe the security center could suggest that once admin's ip added to remove root from this list.
The reason for this is bruteforces from a whole botnet. Blocking ip's isn't necessaraly the solution when fighting against 10 000 IP's, blocking root logins for non whitelisted ip's still make sense.
If 2factor auth is implementee and enabled for root account then this would be much less of an issue, but the success of 2fa will depend on how complete cPanel's implementation will be.
I agree however nest security measures for someone with a fixed ip, would be to not exclude root but add thier ip. If root is added by default, maybe the security center could suggest that once admin's ip added to remove root from this list.
The reason for this is bruteforces from a whole botnet. Blocking ip's isn't necessaraly the solution when fighting against 10 000 IP's, blocking root logins for non whitelisted ip's still make sense.
If 2factor auth is implementee and enabled for root account then this would be much less of an issue, but the success of 2fa will depend on how complete cPanel's implementation will be.
Replies have been locked on this page!