sonuyos Posted May 18, 2018 Share Posted May 18, 2018 Hello, I have just installed recaptcha on my site, for login, and i want to test bruteforce, if it is still letting pass or not. Here is my site - https://snthostings.com/billing/clientarea.php Can anyone help me figure out if the captcha is working against bruteforce such as snipr or sentry mba and all that *. Maybe some GET or POST command that should figure out? 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Technical Analyst II WHMCS Alex Posted May 18, 2018 WHMCS Technical Analyst II Share Posted May 18, 2018 Hello, Thank you for your post! An alternative, in some ways better, approach to mitigating the chance of your clients account being brute forced is to have them enable Two-Factor Authentication. If you have not utilised this yet, I would advise reading the following documentation:https://www.whmcs.com/two-factor/https://docs.whmcs.com/Two-Factor_Authentication Once configured, you can force clients to set this up next time they login. 0 Quote Link to comment Share on other sites More sharing options...
sonuyos Posted May 18, 2018 Author Share Posted May 18, 2018 6 minutes ago, WHMCS Alex said: Hello, Thank you for your post! A better, more reliable way to mitigate the chance of your clients account being brute forced is to have them enable Two-Factor Authentication. If you have not utilised this yet, I would advise reading the following documentation:https://www.whmcs.com/two-factor/https://docs.whmcs.com/Two-Factor_Authentication Once configured, you can force clients to set this up next time they login. Hello, No, that's not an issue. The issue is that the CPU usage goes high when there is an attack. Hence why I want to implicate recaptcha into my login form. And now I want to test it. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Technical Analyst II WHMCS Alex Posted May 18, 2018 WHMCS Technical Analyst II Share Posted May 18, 2018 Hello, Thank you for coming back to me! I see you are using the reCAPTCHA v2, so I am assuming you want to ensure that this presents a challenge where it believes a bot has accessed the client login page? An easy way to check this, that I know of, is to use the 'Modify Headers' Chrome plugin and add a user-agent like Googlebot/2.1. I actually did this and tested it for you, and it seems to be working correctly, I made a video to show this: https://screencast-o-matic.com/watch/cFhF2ZbgRP 0 Quote Link to comment Share on other sites More sharing options...
sonuyos Posted May 18, 2018 Author Share Posted May 18, 2018 Actually what i want is that, to check if it is still brute force able, because hackers use dologin.php to login, and now i dont know if placing captcha will help or not. 0 Quote Link to comment Share on other sites More sharing options...
wp4all Posted May 22, 2018 Share Posted May 22, 2018 Hi sonuyos, normally testing brute-forces should not be possible in an normal network if the attack is coming from outside and the Hacker is not already on your Server. There would be DDoS Protection, max connections and delay Check. On the Server Web Application Firewall, captcha and at the end blacklisting. I mean brute-forcing is not just try 3-4 request in a minute. Sometime our developer got problems if they try to test something and send to many different request in a shorten time. Like change -- > flush cache --> reload --> check --> change -- > flush cache --> reload this ends sometimes in this picture Sorry is in German but it tells you something like : Quote We detected an unusual activity from your IP and blocked access to this website. Please confirm that you are not an robot. --> Captcha So If you would be an Reseller on one of our Server and would test brute-forcing your WHMCS installation good night. Our guests from China also seem to test brute-forcing Have fun greetings Christian 0 Quote Link to comment Share on other sites More sharing options...
sonuyos Posted May 22, 2018 Author Share Posted May 22, 2018 5 hours ago, wp4all said: Hi sonuyos, normally testing brute-forces should not be possible in an normal network if the attack is coming from outside and the Hacker is not already on your Server. There would be DDoS Protection, max connections and delay Check. On the Server Web Application Firewall, captcha and at the end blacklisting. I mean brute-forcing is not just try 3-4 request in a minute. Sometime our developer got problems if they try to test something and send to many different request in a shorten time. Like change -- > flush cache --> reload --> check --> change -- > flush cache --> reload this ends sometimes in this picture Sorry is in German but it tells you something like : So If you would be an Reseller on one of our Server and would test brute-forcing your WHMCS installation good night. Our guests from China also seem to test brute-forcing Have fun greetings Christian Is that a custom setup? or with some third party? 0 Quote Link to comment Share on other sites More sharing options...
wp4all Posted May 22, 2018 Share Posted May 22, 2018 Hi, It is a third party , I try to do no advertising but look for Imunify360 there is also a possibility to use 30 days as trial . Also a favorable graduation of Licenses. Greetings Christian 0 Quote Link to comment Share on other sites More sharing options...
sonuyos Posted May 22, 2018 Author Share Posted May 22, 2018 5 minutes ago, wp4all said: Hi, It is a third party , I try to do no advertising but look for Imunify360 there is also a possibility to use 30 days as trial . Also a favorable graduation of Licenses. Greetings Christian Thanks for that. Lemme get this correct, this is a firewall that will be installed on cpanel, and when an IP attacks this will block it and give recaptcha to that specific IP only, correct? So basically it is like cloudflare but integrated with cpanel and more enhanced security. Correct? 0 Quote Link to comment Share on other sites More sharing options...
wp4all Posted May 22, 2018 Share Posted May 22, 2018 Absolute and not only FW. - Fw - IDS/IPS - Maleware Detection - Sandboxing (coming soon) - Kernel Care - Reputation Management So try it is free for 30 Days no CC needed. Greetings Christian 0 Quote Link to comment Share on other sites More sharing options...
sonuyos Posted May 22, 2018 Author Share Posted May 22, 2018 (edited) 9 minutes ago, wp4all said: Absolute and not only FW. - Fw - IDS/IPS - Maleware Detection - Sandboxing (coming soon) - Kernel Care - Reputation Management So try it is free for 30 Days no CC needed. Greetings Christian All this for $12/mo? Also this better or CloudFlare Plan Web Application Firewall Monthly? Edited May 22, 2018 by sonuyos 0 Quote Link to comment Share on other sites More sharing options...
wp4all Posted May 22, 2018 Share Posted May 22, 2018 Hi, depending on what you want I mean CloudFlare has a different orientation it is more or less an CDN Provider. In my opinion CloudFlare makes only sense if you need to distribute your content to many locations as possible to keep traffic locally and serve your content faster. I do not know your Environment but I don't need an other DDos protection or Load-balancer we have all this stuff in our Webfarm in Front. We use LiteSpeed as Webserver its anyway 9x faster than Apache and 5 x then Apache+ngnix . LiteSpeed provides Caching solution you will dream about it. Yea 12$ I know the first License is not so cheap but for 30User it's only 25$ so If you got more than one it will be cheaper and cheaper. We sell also VPS and bare metal solutions there is an module for WHMCS to sell Imunify360 Licenses so we own already Bulk enterprise Licenses. But all this are only tools you should also understand what to do with all this kind of staff ;-) Greetings Christian 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.