We have a "friend" who is trying to access our whmcs dashboard as an admin, on daily basis

[HostMaria]

Afternoon all,

We have a "friend" who is trying to access our whmcs dashboard, on daily basis.

Keeps using 2 names: cnadmin and admin

Has anybody of you noticed these ones as well?

We have a number of protection layers on the Cloud side.

How do you protect your WHMCS from within? .. do you use any additional modules?

Best!

Helmuts

 

Edited May 20, 2023 by HostMaria

[HostMaria]

checked the logs > this seems to be a manual attempt.. no brute force attacks

it seems a person is manually looking for usernames and passwords... seems to be a targeted action, even trying our brand name "hostmaria" as a username.

yes, of course, we have a 2-factor authentication enabled.

.. I'm going through the reports, and will block all the IPs,  (will start with this).

.. started yesterday 6:48am

--

IPs:

5.188.62.76 (Russia)

5.188.62.21 (also, Russia)

.. it would be quite easy to start creating problems for this person if the IPs were from a normal country.. It is useless to complain to Russian ISPs - the whole country has gone totally bananas, and attacks on Western companies are even celebrated 😕

Edited May 20, 2023 by HostMaria

[bear]

Calling your admin area "admin" is part of the issue. You should at the least use something less simple to guess. 

[HostMaria]

1 hour ago, bear said:

Calling your admin area "admin" is part of the issue. You should at the least use something less simple to guess. 

Yes, good point, of course. Adding it is on my list now.. 

[Evolve Web Hosting]

In addition to @bear suggestion, add a .htaccess file to the 'admin' folder (whatever name you change it to) and restrict access to specific IP address(es) only. With those 2 changes implemented, you should be all set.

[zomex]

Hello,

As bear said changing your admin path is going to to be the best step you can take. You could always redirect /admin/ somewhere.

More recommendations would be enabling two factor auth for your admin and also using a directory login for your admin path.

[SimpleSonic]

On 5/20/2023 at 11:00 PM, evolve hosting said:

In addition to @bear suggestion, add a .htaccess file to the 'admin' folder (whatever name you change it to) and restrict access to specific IP address(es) only. With those 2 changes implemented, you should be all set.

^^^ This. It makes it harder to brute force something if you can’t access it to begin with. 

[brianoz]

Bear's suggestion is critical, and I'd also want to make sure the "admin" user doesn't exist.

CSF also has a setting that blocks bots after a certain number of 404s, or you could force a 404 (or 403) in a small bit of PHP code under the old /admin folder, if you want to get fancy.

WHMCS has a useful list of hardening suggestions, the majority of these are listed there - worth a read: https://docs.whmcs.com/Further_Security_Steps
(You could google "WHMCS security hardening" for a bunch of ideas from around the net)

Another good idea, not listed in the above, is to set Basic Auth up on the WHMCS admin directory.  That means the first time you access it in a browser, you'll have to enter a username and password.  You can share the username and password, or setup a different password for each admin user - just make sure the password has reasonable complexity and isn't 'password123'.  (does this method have issues these days?  Perhaps someone like bear could update if so, I'm not as much in the loop now I've sold my hosting company).

It's also worth knowing that most successful security compromises seem to be around old code that hasn't been updated, rather than people logging in as users.  When we had some hundreds of WordPress websites running, nearly all compromises were from old sites, and most were sites where the fixes had been released over a year ago.  To prevent this, update your WHMCS regularly so it doesn't get too much out of date.  Depending on the newness of the changes and whether they were security patches or major updates, I like to update a few weeks later to reduce breakage risks (other people can find the bugs!).  I know WordPress isn't WHMCS, but the concept still applies.

Also - backups - I know this is really boring, but always, ALWAYS have "off-server" backups - somewhere else in the internet, not on your servers.  Every now and then a company crashes and burns because a dumb bad guy formatted all their servers, you don't want to be caught by that.  These backups should be automated but rehgularly checked - automatic backups always seem to break eventually if never checked. I'd take a monthly or bi-monthly air-gapped backup as well - put it on a USB stick, and then put that in a fireproof safe or take it home and store it somewhere safe there.  Backups can substantially reduce recovery time in the event of a database or code hack, because they can give you a "known clean" point to compare against.  Bearing in mind most of WHMCS is ioncubed, you can always download the latest release and use it to compare or simply overwrite everything with it.

And finally - 2FA.  I love the idea of a physical key like a Yubikey, as that's the most secure solution, but honestly any 2FA is better than not having anything.

You don't have to do this all at once!  The summary list is, in rough priority:

• rename admin folder
• basic auth on new admin folder
• Auto Block bots getting lots of 403s and 404s with CSF
• keep WHMCS updated
• institute good primary and secondary automated backups, with periodic checks
• Add 2FA

Edited May 27, 2023 by brianoz
added a few ideas