Serious Direct Admin Security Concerns + UDP Attack Script Installed

It can't be normal md5 or sha1 or whatever one-way encryption, because it needs to know the real password to send it to the directadmin api. I'd say a kind of encryption should be used tough, but they could still decrypt it. Its a matter for the whmcs programmers to make it as hard as possible.

Off topic: I'm going to need to implement the directadmin api myself, I'm thinking of making a queue and let a background script not accessible from the web execute the API commands.
 
Last edited:
You cant crypt the password of da server in whmcs i suppose, cause if there is not a decrypt way, the whmcs server will have no way to communicate with da panel.

Regards
 
Hello,

Although it seems like this is a WHMCS issue, I'm about half done implementing a new password system that would allow any DA account to accept multiple passwords:
http://www.directadmin.com/features.php?id=1298

The beauty of this system is that the "extra" passwords on the account can have limitations, if you so chose:
- expiry date
- max number of uses
- limited set of allowed/deny commands (same system as commands.allow and commands.deny)
- password can be set to only be allowed to work from a specific IP.

The main password would be unaffected, but you wouldn't be using it in scripts anyway. You'd use one of the limited passwords.

This will be handy, because you can throw one of these special passwords into WHMCS instead of your main one, and if WHMCS ends up giving out your password, it will be much more difficult for the attacker to do anything with it (assuming he's not accessing DA from the same box as WHMCS, as the IP check would then be void)

Other handy things that are already in place to help with that sort of thing:
1) The login_pre.sh can filter login attempts, in this case, do it on IPs if logging in as admin:
http://www.directadmin.com/features.php?id=1223

2) Create a 2nd admin account for WHMCS (eg: admin2), use the login_pre.sh, but also use the commands.allow to only allow the commands WHMCS needs (not sure what that list is)
http://www.directadmin.com/features.php?id=1171

3) More, related to controlling connections:
http://help.directadmin.com/item.php?id=150

4) Although this is a bit off topic, always ensure you've got a brute force login detection system, as that's another popular way for attackers to walk into your box:
http://help.directadmin.com/item.php?id=404

Hope this helps!

John
 
Iv had to turn off dovecot. After 4,000 brute force attempt using various email accounts iv had to turn off access to port 110. I guess these jackasses didnt like the fact that they got locked out. Now they are attacking my box via pop3.
 
Keep in mind that read is very useful.

The link i gave end with this:

Code: 
If you're running FreeBSD with ipfw, you'd skip steps 2 and 3, and instead, add the following code to the file:

/usr/local/directadmin/scripts/custom/block_ip.sh

#!/bin/sh
echo "Blocking $ip with ipfw ...<br>";
ipfw add deny ip from $ip to any
exit $?
and don't forget to chmod the block_ip.sh to 755.

Regards
 
The problem is the brute force on port 110 which you cant really stop otherwise nobody and pop3. But i turned off dovecot monitoring and stopped dovcot for about 2hrs. During that time i blocked the ip. Then i turned it back on and its good to go until i see another one. Repeat process.
 
Why you cant? Once a BFM notice appear the script with ipfw will ban the ip....

Ofc you cant prevent brute-force attempt, but you can automatize the ip ban for that.

Regards
 
Talking about security, i think the option in DA FILE EDITOR is a very dangerous option.

Now anyone who takes access of your DA login can do anything and view anything here.

Options like being able to edit sshd_config at the very least should be password protected.

Just the same as the option to reboot the server from DA, you need the root password.

After someone gained access to my DA admin account they could have done just about anything.
 
Hello,

The high-risk files, like sshd_config, are already root password protected in the Admin Level -> File Editor.
You have to "authenticate" with your root password before you can save the changes.
These files are flagged as high-risk using the secure=yes option in the edit_files.txt file.

John
 
Here is the thing, if you log into WHMCS as the admin you can log stright into Direct Admin with the push of the button!!!!

Very dangerous option. I suspect that this guy did exactly that and that is how he got into my DA account.

The other thing he could have done was create a new row in the tblservers table with his own username and password and gained access to my DA using that info. He didnt have to decrypt my password.
 
Ye but do you want your attacker to know that your SSH port is 4455 instead of 22? And that the allowed users is Admin and Root? Why should you be giving out this info?
 
You must log in or register to reply here.
Back
Top