Back to Main Site

Brand Configuration (White Label Core) & Login Security

Last updated on Jul 10, 2026 3:25 AM

Background & Limitations

  • Default Brand Identity: Enterprises want to customize the dashboard into their own brand (e.g., FlexiPanel), but the CyberPanel logo and doc links are fixed on navigation bars, sidebars, and the login page.
  • Brute-Force Risk & Info Leaks: The default admin login page is always located at /loginSystem or /, lacking a mandatory two-factor authentication mechanism by default. If an administrator is targeted by brute-force attacks, the entire VPS could be compromised.
  • Time Sync Issues in Standard 2FA: Traditional authenticator apps (like Google Authenticator) require server and phone times to match perfectly. When VPS time drifts, administrators can be locked out permanently.

Integrated Solutions

White Label Core resolves these issues through two primary features operating independently of the CyberPanel core code:

A. Brand Restructuring

Managed centrally via the white_label_config.json configuration file. The middleware dynamically replaces HTML assets before returning responses to the browser:

  • Replaces the Login Logo, Admin Logo in the top-left, and Panel Favicon.
  • Changes the brand name and slogans across all page titles (<title>).
  • Injects custom CSS code directly into the <head> tag for advanced styling overrides.

B. 3-Method Login Security

The system provides a dynamic 2FA security mechanism using an algorithm that calculates a daily dynamic code independent of absolute system time:

$$\text{Daily Security Code} = \text{Prefix} + \text{SUM(Day + Month + Year)} + \text{Suffix}$$

For example, for today (July 5, 2026), with prefix "MT" and suffix "Utilities":
$$\text{SUM} = 5 + 7 + 2026 = 2038 \rightarrow \text{Security Code: } \mathbf{MT2038Utilities}$$

Three flexible activation methods can be configured to apply only to specified user groups (e.g., Admin, Reseller, User):

  1. Security Code in UI: Injects a code input field directly into the login form. To optimize UX, this field is hidden by default and only displays when the user types a username belonging to a group configured for login security (checked asynchronously in real-time).
  2. Appending Security Code to Password: Keeps the UI unchanged. Users in the specified groups append the security code to the end of their password when logging in (e.g., passwordMT2038Utilities). The middleware strips the code to validate it before sending the clean password to CyberPanel. Other groups are unaffected.
  3. Hiding the Login Page via URL: Returns a 404 error to anyone accessing the default login page. The login page only displays when accessed via a URL containing a valid token (e.g., /?code=MT2038Utilities), which sets a trusted 30-day cookie on the device.

Security Capabilities & Utility Value

Outstanding Security:

  • Blocks 99.9% of Brute-Force Attacks: By requiring a dynamic code that changes every 24 hours, automated brute-force scripts are rendered completely ineffective.
  • Hides Attack Surface (URL Token): Makes the login page invisible to hackers. Port scanning tools and vulnerability scanners will only receive a 404 (Not Found) error.
  • Granular Target Protection: Restricts strict security checks only to high-privilege groups (Admin/Reseller) without disrupting regular users.

Utility & Operations Value:

  • Device Independent: No need for third-party Authenticator apps. Avoids the risk of losing mobile devices or NTP server synchronization drifts.
  • Quick Mental Calculation: Simple math allows administrators to easily calculate the login code anywhere without auxiliary devices.

Emergency Rescue

If an administrator forgets the configuration or fails to calculate the code, they can bypass security by SSHing into the VPS and creating an override file:

touch /usr/local/CyberCP/whiteLabel_data/disable_login_security

The system will immediately bypass this authentication security layer.