Brute Force Cpanel/whm

[inda]

Hello
I have a problem with one of my server.
The server has cpanel/whm installed but today it happened something that never happened.

Apparently according to logs, they mounted attacks type brute force to cpanel/whm and as consequence the server does not hold the load of than 1200 processes originated more by that attack.

What I could do is to close the ports: 2082,2083,2086,2087 used by cpanel/whm.
Use apf and bfd.
I put myself in contact with support of cpanel and they commented that it would be possible to be solved to me with some rule of firewall, but I do not have many knowledge in defined rules.

Cpanel I comment that the ports cannot change.

You they could give a solution me to this problem?

I wait for its answer.

== associate logs ==

Thanks

Logs:
======
root 12396 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.48.68.185
root 12397 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.48.68.185
root 12398 10788 0 10:30 ? 00:00:00 cpaneld - serving 172.211.49.242
root 12399 10788 0 10:30 ? 00:00:01 [cpsrvd] <defunct>
root 12402 10788 0 10:30 ? 00:00:00 cpaneld - serving 86.197.92.1
root 12403 10788 0 10:30 ? 00:00:01 cpaneld - serving 218.167.91.58
root 12405 10788 0 10:30 ? 00:00:00 [cpsrvd] <defunct>
root 12407 10788 0 10:30 ? 00:00:00 cpaneld - serving 218.167.91.58
root 12408 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.18.14.3
root 12409 10788 0 10:30 ? 00:00:02 cpaneld - serving 82.229.221.235
root 12411 10788 0 10:30 ? 00:00:00 cpaneld - serving 195.24.94.244
root 12412 10788 0 10:30 ? 00:00:01 cpaneld - serving 200.117.220.236
etc..
etc..
etc..
etc..
etc..

[inda]

any ?

[HostMerit]

It's kind of sad, I've been waiting for a while for CPanel to limit the number of processes / max (failed) logins per IP and be able to impliment some type of good brute security. It's WAY too easy to crack a cpanel box. Guess I should submit it to bugzilla...

[xidica]

this is where really longass super uber complex passwords come in to play..but you're right

[xidica]

i've wrriten a perl daemon that takes a whitelist of IP's to ignore in a text file as an option, and continually logs cpsrvd process ID's, IP's, and timestamps to text file
If a host is detected more than x times in x or fewer seconds, and the PID's differ of course, iptables drop the host...its a bit of a work in progress so I don't wanna just throw it up here cause it's not as polished as i'd ilke

[jamesbond]

If you have a static ip address you can always block WHM ports 2086/2087, and add your ip to the allow list in apf.

This isn't an option for cpanel access ofcourse, so I agree, some sort of brute force protection would be nice. Even the forum (vbulletin) we're on right now has it! Now isn't a cpanel account a bit more important to protect than a forum account?

[jamesbond]

i've wrriten a perl daemon that takes a whitelist of IP's to ignore in a text file as an option, and continually logs cpsrvd process ID's, IP's, and timestamps to text file
If a host is detected more than x times in x or fewer seconds, and the PID's differ of course, iptables drop the host...its a bit of a work in progress so I don't wanna just throw it up here cause it's not as polished as i'd ilke

Does it log the correct ip address when people log in through secure ports or does it show up as 127.0.0.1?

[xidica]

I'm actually revisiting the code right now since it's been so long since I've needed it but apparently there is demand for it(I don't run cPanel personally)...You are correct in regards to the SSL thing but now that I think of it wouldn't be hard for me to get that working as well(since stunnel simply forwards the request to cpsrvd), so I can grab the IP's for secure via netstat output. To think of it this is a better way for me to go about it. Unfortunately I don't have any test bed cPanel machine available to me right now and I'd ultimately like it to work on BSD as well as Linux...I'll just have to rewrite the code this as well as I can without a cPanel box laying around and test it when I get back to work and have time to play around on a test box...

[xidica]

If someone could PM me or post the output of the following commands while stunnel is serving someone as well as when non-encrypted cpsrvd is serving an IP for login :

netstat -atnp | grep "2086\|2087"

It'd be much appreciated and obviously feel free to censor IP's, process ID's, ports or whatever else you feel like....it'd help me go forward with this a bit better.
alright i've got the output ... does anyone have an approximate time-frame between how long the stunnel process stays listening on the server IP 2087 before the local connection starts from stunnel to 127.0.0.1 ? Thanks!