Strange Occurance. Anybody have this before?

[pjman]

This morning I logged into my SSH and WHM, fine like every morning. About 30 minutes later I got the "brute force protector" warning. "somebody is trying to get in and they are failing, wait 10 minutes." So, I thought I would SSH in clear the Hulk database and then log back into WHM. My SSH password was denied.

Called the datacenter, they confirmed the same. They rebooted it and everything was back to normal. "Brute Force Protector" had the IP of the past offender, I iptabled it out. Checked the whole server, totally clean. Data Center confirmed and checked all patches and updates were applied.

Anybody have this happen before? I thought "Brute Force Protector" might have locked down SSH, but from what I understand BFP does not lock down SSH.

Any input is much appreciated.

[Spiral]

cpHulk / "Brute Force Detector" is better than nothing I suppose but it really is not that good and only helps to limit brute force assaults on Cpanel itself and really does nothing whatsoever for SSH, FTP, Email or other access attempts. You could also find yourself accidentally locked out far too easy with that system.

I would strongly suggest barebones minimum installing CSF Firewall which can also be configured to serve the same purpose as cpHulk and also help protect much more above and beyond that.

While on the topic of security and preventing attacks, a few other items:

1. Make sure all your server software and related are newest versions

2. Operating system should have newest kernel available

3. Apply all updates / security patches available for your server

4. Look into getting security related modules such as mod_security,
mod_evasive, mod_geoip, suhosin, and SuPHP based PHP.

5. Remove or disable unused or commonly exploitable system components.

6. Setup rootkit and file change detectors such as rkhunter, tripwire, cxs, and/or others.

7. Setup antivirus protection such as clamav and mod_clamav

8. Disable compilers, disable password auth, and enable shell fork bomb protection in Security Center in WHM.

9. Go through your "Tweak Settings" options and reconfigure for security, also change SSH port w/protocol 2.

10. Edit your PHP.INI configuration and disable commonly abused functions, turn off "expose_php", "enable_dl", "allow_url_fopen" (unless you really need it) and setup other typical PHP security related configuration items.

11. Go into your FTP configuration and disallow root and anonymous logins and also check settings for your other server processes as well.

12. In your apache configuration settings, set everything for "PCI recommended" settings

These are just a few of the items you should go through to at least get your server up to a basic minimal working security defense level. Anything less and you could be in big trouble, more ways than one!

Data Center confirmed and checked all patches and updates were applied.

****PPFFFT (Spit coffee all over monitor) ..... ROFL .... LOL ... LMAO.

Uhm, word to the wise ---- the data center is the LAST people you should ask about patches and security updates!

I haven't seen a data center anywhere yet whose support is anything other than entirely clueless in this regard!

Usually, what that means coming from a data center, is that they simply ran "/scripts/upcp" and "yum -y update" and that's pretty much it and doesn't necessary mean you have all security patches or that you are even close to updated (yum typically runs fairly behind, sometimes far behind, actual software releases and doesn't apply all updates)

[d_t]

pjman, you better disable password authentication in ssh and use keys instead. You can also change ssh port and use CSF, as spiral suggested.

[BareckObama]

We usually keep two copies of sshd running one for the admins on a different port and one for the users with root disabled. This way we make sure we are never locked out.

[pjman]

I made all those adjustments. Thanks for all the input.