How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

Automatically block IP addresses of sql injection attack originators



Hi,
WHMCS system is protected against sql injection attacks - and that's great.
Each time such an attack is falling we get an automatic email titled WHMCS Admin Failed Login Attempt with the attack information (the relevant attak string in the Username field and the Ip this attack originate from.

Sometimes such an attack is repeated several times from the same IP or when it's failing the hacker / attacker may try something else and will continue his hacking attempts.

In WHMCS there is security feature that ban an IP of Failed Admin Login for several time (usually few minutes - but this can be configured in the system settings) after the third unsuccessful attempt.

I think that when it's is clear that this is not a normal Failed Admin Login but rather a clear sql injection attack (i.e. there is a relevant attak string in the Username field) WHMCS system should automatically add the attacker IP addresses to the Banned IPs list with no expire date and with Ban Reason of hacker or something like that.

This automatic security mechanism will help WHMCS to be more secure by immediately blocking a clear attacker IP without giving the attacker 2nd or 3rd attacks options.

What do you think?
Ram

3 Comments

Login to post a comment.

This would be a nice idea. I suggesting a way to up the Ante a bit. Instead of specifying a date on Banned IP's... what about allowing an option for indefinite, in the case of fraud orders, etc?
Hi Johan,
Thanks for your suggestions for protecting my admin area login form.

I use recpatcha but still get sql injection attacks.
I think that when It's clear this is an attack (Username: '=''or' for example) WHMCS should block the relevant IP asap and not to allow 3 attempts and then again after several minutes.

And if you can also automatically report it to AbuseIPDB (abuseipdb.com) it will be amazing (https://requests.whmcs.com/idea/please-integrate-with-abuseipdb-abuseipdbcom-2)

Thanks!
Ram
Hi Ram,
Thanks for your suggestion.
As an immediate hardening measure, you can protect your admin area login form with IP restrictions or adding recpatcha to prevent automated submissions:

https://docs.whmcs.com/Further_Security_Steps#Restrict_Access_by_IP
https://docs.whmcs.com/Google_reCAPTCHA