All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Auto-generated passwords for WHMCS
This thread has turned into something about how to auto-generate root passwords in WHMCS for clients, from @KuJoe:
Can't get this to copy/paste properly. Scroll down.
..... which I find to be a much better solution than what I originally detailed below:
Despite all of us being preached to about good security measures for all of our Internet lives, we're still getting clients signing up with extremely poor root passwords, like 12349876, or q1w2e3r4. So far, all but one of our DDoS issues have been due to clients getting their VPS compromised. Time to put an end to it.
I'd like to write a script to perform the following actions. It'll probably come from an IP with a RDNS name like 'sshauditcheck' or something, so if the process DOES succeed, then the user will understand the 'last login' hostname next time they log in:
-get a list of active IPs from Solus -get a list of root passwords-given-at-signup from WHMCS (WHMCS stores passwords-given-at-signup in plain text. This might be news to some people.) -determine if the root password is weak. probably will use some kind of pre-created functions to calcualte the 'strength' of the password. -iterate through the IP list, doing: --try to connect to port 22. if no connect to port 22, break. if connect to port 22, continue: --determine if password is a valid authentication method. if password is not an accepted auth method, break. if password is a valid authentication method, continue: --give password. if password rejected, break. if password accepted, AND password was calculated to be weak, add the IP to an array, and email the client that their VPS has been audited and failed the check. -compile the array into a report, and email it to me
And then further action can be taken, such as suspending the account until the root password is changed to something more viable.
The point of this is to reduce one way for a VPS to be compromised. There are others of course, but so far, they're not causing an issue.
What's everyone else's thoughts?
Comments
You're going to hack into my VPS? O_O
You're*
We stopped allowing clients to choose their own password when signing up. It has reduced compromises to new VPSes by 100%. We have WHMCS generate a strong random password for VPSes.
Ostensibly, and with your password too, but only if it's a crappy password. If we get to the point of implementing it, it'll be added to the AUP/TOS, and existing customers will need to agree to the process.
It's really just auditing the 'account security' portion of our AUP/TOS.
On topic it seems like a good idea, not sure about suspending the VPS, it might be a idea to just send a email at first.
@kujoe care to share how whmcs does that? (Config or custom coded?)
I just edited the template. When I get back to my PC I'll post the code I am using.
Randomly generated SSH port?
Thanks, it would be much appreciated.
Too difficult to effect, since it wouldn't be persistent across OS reinstalls. But good idea.
@bamn Clients would hate that. Just remember, dancing pigs over security...
Terrible idea. Well intentioned, but terrible. You can't break into people's houses and leave notes telling them to lock the doors. KuJoe's solution is acceptable though, and easy to implement.
client reinstalls OS, changes the root password to something we don't like but he feels comfortable - 12349876, or q1w2e3r4 ..
then?
What happens if the user changes the root password manually? Does whmcs store the updated one, or only the one used during the signup? I tend to use a simple and easy to remember password when signing up, then change it from solusvm.
Isn't it more like giving pre-notice that i'm entering people's apartments because they signed a lease to not destroy the apartment and they're destroying the apartment? Regardless, I like @Kujoe's solution better.
Then I wouldn't be able to check it.
If they change their password, the process is given a 'pass', since I can't check it further. WHMCS and Solus only store the one given on sign-up; neither store the 'current' password.
SolusVM does store the current root password if you change the password in SolusVM (it uses the most current password for OS re-installs). If you change the password inside of the VPS (i.e. passwd) then SolusVM will not know it.
I always had issues with SolusVM when ordering VPSes because my passwords were TOO secure. I'd never be able to login because of the special characters or the length of the password, and sadly it took a couple providers before it was explained to me that the reason I couldn't access the SolusVM panel or SSH into my machine was because of the password.
As for the random password, I replaced this line:
<tr><td>{$LANG.serverrootpw}:</td><td><input type="password" name="rootpw" size="20" value="{$server.rootpw}" /></td></tr>With this line:
<input type="hidden" name="rootpw" size="20" value="{php}$rdmpw = substr(md5(rand().rand()), 0, 10); echo $rdmpw;{/php}" />I forget where I got that code from but it's worked good so far. We've gone from a handful of hacked VPSs a month to 0 since we implemented it (not to mention no more broken SolusVM API which was more common for us than hacked VPSs).
This is the main reason we implemented the random password. If you have special characters it would break SolusVM's API and cause your VPS to be created without an IP assigned to it.
@kujoe where do you implement this? (which tpl file?/0
Then I wouldn't be able to check it.
in the OS templates there should be strong linux password enforcement check built-in , so it'll take care to much extent if user changes root password inside VPS...
You're my hero. Thank you.
Ah.. that explains that.. I guess I never looked into it far enough to discover the correlation...
@KuJoe Nice one KuJoe, very handy.
You should probably do
$rdmpw = substr(base64_encode(md5(rand().rand().time()), 0, 12));which will give a 12 characters mixalpha-numeric string instead of a 10 characters hex string, which is about the same as 12 numeric characters.So thats why my VPS never has its IP assigned!
Good to know.
But which template file do you edit?
configureproduct.tpl ?
configureproduct.tpl ?
Yes, for the orderform you're using.
@Damian
So should I change this
<tr><td class="fieldlabel">{$LANG.serverrootpw}:</td><td><input type="password" name="rootpw" size="20" value="{$server.rootpw}" /></td></tr>to
<input type="hidden" name="rootpw" size="20" value="{php}$rdmpw = substr(md5(rand().rand()), 0, 10); echo $rdmpw;{/php}" />Would it be possible to add some kind of hook into solus that would check against a list of "weak" password and would not allow the change if theres a match?
Same type of addition as KuJoe in whmcs.
No need to 'pen test' the clients.
I bet someone will add iptables to block uour checks aswell.
/templates/orderforms//configureproduct.tpl
Should, but not. You can set your password to anything without restrictions in most OSes. I think CentOS is nice enough to warn you if you're using a dictionary word but still lets you continue.
The idea is to be as easy for the client to remember (in case copy and paste isn't an option) while still being more secure that 123456 or password1. Luckily, we have systems in place on our network that prevents brute force attempts.
Assuming the hacker had physical access to our server, at 1 million checks per second it would still take about 116 years to crack the password. I don't see a reason to make these secure temporary passwords more secure than that.
This would only work if you changed the password in SolusVM, most people I know change the password in the VPS via SSH (more secure since SolusVM saves passwords).