Access WHM page through differnet port?

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
Is there another way to access WHM page than https://www.domain.com:2087? I have locked ports 2080-3000 and allows only access from particular IPs but it looks like today I have got Large Number of Failed Login Attempts message so it means someone used another port to access WHM page.

Any clue?

Thanks
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
... today I have got Large Number of Failed Login Attempts message so it means someone used another port to access WHM page.
Could you show some of those messages?
 

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
Here:

Code:
3 failed login attempts to account blabla (system) -- Large number of attempts from this IP: 184.22.210.250

Reverse DNS: 184-22-210-250.static.hostnoc.net

Origin Country: United States (US)

Please use the following links to add to the black list:

Single Ip: https://www.mydomain.com:2087/cgi/bl.cgi?ip=184.22.210.250
       /24: https://www.mydomain.com:2087/cgi/bl.cgi?ip=184.22.210.0/24
       /16: https://www.mydomain.com:2087/cgi/bl.cgi?ip=184.22.0.0/16



Please use the following links to add to the white list:

Single Ip: https://www.mydomain.com:2087/cgi/wl.cgi?ip=184.22.210.250
       /24: https://www.mydomain.com:2087/cgi/wl.cgi?ip=184.22.210.0/24
       /16: https://www.mydomain.com:2087/cgi/wl.cgi?ip=184.22.0.0/16
Above IP is not allowed on the firewall and somehow was able get to the WHM login page. I have tested access from ports range 2080-3000 and I wasn't be able to reach WHM login page only when accessing from proper IP.
 

InteractM

Well-Known Member
Apr 2, 2013
135
1
18
cPanel Access Level
Root Administrator
Yes - a hardware firewall before the server.

PS.
It looks like cpHulk throws message on any failure even FTP not only WHM access. Can someone confirm that?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Well, it says "3 failed login attempts to account blabla (system)" Normally "system" means SSH. Check /var/log/secure to be sure.

i.e.

grep blabla /var/log/secure
or
grep 184.22.210.250 /var/log/secure

If that turns up nothing, grep for the IP in the other logs in /var/log/ , and you should find what they were trying to connect to. cPanel access logs (i.e. cPanel/WHM, not ftp, ssh, mail, etc.) are in /usr/local/cpanel/logs/