Hello
Is Cyberpanel login security low?
There is no login captcha, no brute force protection! no 2fa!
Type your comment> @rezahrad said:
Hello
Is Cyberpanel login security low?
There is no login captcha, no brute force protection! no 2fa!
That is for the demo only, but a webserver CP login page also doesn’t have any of these security features. I hope this gets addressed soon.
Just like the other panels, custom ports and url suffixes can solve this problem, but the official documentation doesn’t seem to provide this method.
It’s not about change ports. Port scanner apps can find ports very soon. We must have captcha or limit login attempts like CPanel and DirectAdmin.
Is the Cyberpanel port able to be changed?
CyberPanel port can’t be changed. I agree with you @rezahrad. There should be google captcha and fail2ban
@usmannasir Should look at this thread. I was thinking to create this thread @harvey but @rezahrad did it. Yes, CSF is there already. I am just not sure if it is doing this job.
CSF+LFD with modsec setup does everything and more than fail2ban and way better. CSF+LFD for cyberpanel if installed should also already be integrated and monitoring the modsec and error logs and blocking stuff.
Once the Cyberpanel login page has logging enabled we can easily tie it into the CSF+LFD log monitoring just like the cPanel CSF+LFD integration has.
I suggested we add some logging here for the admin panel
once something like that is setup that would make it super easy to add this log file and formatting to the CSF log scanner/monitor.
Right now when you fail logins it looks like this which is not very indicative there is a failed login.
Intentionally failed login to Cyberpanel and then anonymized IPs and hostname
Shown on login page when failing login:
Could Not Login, Error message: Administrator matching query does not exist.
Entry in the log:
[root@cloud:~]# tail -f /usr/local/lscp/cyberpanel/logs/access.log | grep -i login
75.215.75.165 - - [25/Apr/2020:00:57:23 +0000] “POST /verifyLogin HTTP/1.1” 200 96 “https://server.somedomain.com:8090/” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36”
I’m installing CSF+LFD and that’s not blocking my IP at the incorrect password inputs!!!
it does this for the stuff its configured for @rezahrad
Without any context of what you mean its hard to know if its supposed to do this or not.
As i mentioned above Cyberpanel :8090 page is NOT setup to block failed logins as the required logging is missing. This will need to be added before we can then setup CSF to block failed attempts at it.
if your not using cheesy passwords it should not really be a concern. If your paranoid about this setup CSF to hide port 8090 from everyone except your Static IP or your VPN IP and this will easily mitigate that “problem”
Here is a Gameplan for how this can be accomplished.
Step 1: Add logging for all login pages that require authentification.
-
control Panel login
https://hackerdise.com:8090/
-Webmail Login
https://hackerdise.com:8090/rainloop/index.php
Example:
/usr/local/CyberCP/logs/login_log
192.168.0.20 - Username [07/10/2013:18:43:00 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN lscpd: Username password hash is missing from system (Username probably does not exist)
192.168.0.21 - Username [07/10/2013:18:43:14 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN lscpd: Username password hash is missing from system (Username probably does not exist)
192.168.0.22 - Username [07/15/2013:16:21:50 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN lscpd: Username password incorrect
Step 2(Optional but going to be needed for Auditing on reseller multiuser setups): Setup Activity logging for all user actions taken: For Example: User activity logs of things done in Cyberpanel adding deleting email ftp accounts etc
/usr/local/CyberCP/logs/client_activity_log
192.168.0.20 - example [10/08/2016:13:37:32 -0000] “GET //index.html HTTP/1.1” 200 0 “” “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0” “s” “-” 2083
Resources for Rainloop:
Rainloop webmail authentification/error logs
/usr/local/CyberCP/logs/rainloop
Rainloop Config
/usr/local/lscp/cyberpanel/rainloop/data/data/default/configs/application.ini
[logs]
; Enable logging
enable = Off
Step 3: Setup CSF+LFD to monitor the login log files and block these bad attempts
Setting up custom bruteforce protection. References
https://wiki.centos-webpanel.com/csf-lfd-brute-force-protection
https://forum.configserver.com/viewtopic.php?f=6&t=7517
https://download.configserver.com/csf/readme.txt
I personally do not have the time to code all this stuff but if anyone wants to help or take parts who has the skills to they can. The code is public
The step one is going to be harder as its going to require the core to start logging these to a file we can work with for the step 3 on our own regex wise.
Agrees that this is a hugely required feature and no doubt help us sleep better if being used for anything more than a basic project.
Granted, if using DigitalOcean etc then the port can be blocked by firewall so no one could even get near the admin port in the first place but not all hosts have firewalls sadly, Hetzner as a prime example.
@l0gical
First, go to CSF allow list and add your IP, I recommend a second one too just as backup access.
Then, on the CSF settings remove port 8090 from open ports.
And your IP only with bypass the firewall and connect to the server.
It works on any VPS; Hetzner provides only some DDOS protection, you must use your own firewall and it’s better like that if you know what to do.
@chiarue
Thanks and that is a good solution yes, DigitalOcean would be far easier for users.
Firewall wise, I have been playing with pfSense and also ipFire.
Regarding login limit on the Admin panel, I seem to recall (and will check later) that the CSF in CyberPanel allows scanning for 401/403 errors, if CyberPanel could divert the user, to one of the above error pages instead of the “password didn’t match” message, then 3 attempts and a ban which would need very little code edits to CyberPanel (also to the best of my knowledge) I looked through a few bits of it on GitHub earlier to see what part deals with user auth etc on the Admin side.
Have checked and yes, in the CSF it will track 401 & 403 forbidden errors, could therefore be quite easy to change failed logins to the 403 error page and set the LF_APACHE_403 to a sensible value obviously paying consideration to not block search bots.
Please help my https://www.mahadbt.co.in:8090 cyberpanel not opened what should i do how to recover login window of Cyberpanel?
Use your server IP:8090 if that wont work whitelist your ip with csf look this tutorial to do it with SSH
Agrees that CAPTCHA or limit login attempts would be the best options, but here is what I´ve done and its working just fine.
- Usually there are admin user and my user (also admin)
- User > Modify users > Select Admin > Activate 2FA > dont copy the code
- User > Modify users > Select My User > Activate 2FA > Google Authenticator
So the admin user is disabled and mine only has login with 2FA
2 Likes