The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Allow only certain countries's IP to access root

Discussion in 'Security' started by crliuh, Jul 10, 2014.

  1. crliuh

    crliuh Member

    Joined:
    Jun 16, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi,

    Recently i've been blocked by cphulk brute force protection due to massive login failures did by hackers. below are the logs,

    Code:
    116.10.191.172	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.172	2014-07-10 02:58:09	2014-07-24 02:58:09
     61.174.51.221	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.51.221	2014-07-08 16:29:48	2014-07-22 16:29:48
     116.10.191.226	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.226	2014-07-08 12:25:40	2014-07-22 12:25:40
     116.10.191.213	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.213	2014-07-08 14:34:32	2014-07-22 14:34:32
     116.10.191.209	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.209	2014-07-08 15:18:08	2014-07-22 15:18:08
     1.93.26.149	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 1.93.26.149	2014-07-08 20:23:12	2014-07-22 20:23:12
     61.174.51.203	30 failed login attempts to account admin (system) -- Large number of attempts from this IP: 61.174.51.203	2014-07-08 20:42:57	2014-07-22 20:42:57
     116.10.191.195	30 failed login attempts to account admin (system) -- Large number of attempts from this IP: 116.10.191.195	2014-07-08 22:46:22	2014-07-22 22:46:22
     60.173.9.26	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 60.173.9.26	2014-07-09 01:28:05	2014-07-23 01:28:05
     61.174.50.213	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.50.213	2014-07-09 12:41:26	2014-07-23 12:41:26
     116.10.191.204	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.204	2014-07-09 07:26:09	2014-07-23 07:26:09
     218.16.129.142	30 failed login attempts to account calm (system) -- Large number of attempts from this IP: 218.16.129.142	2014-07-09 12:41:30	2014-07-23 12:41:30
     116.10.191.210	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.210	2014-07-09 22:04:09	2014-07-23 22:04:09
     116.10.191.236	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.236	2014-07-09 20:52:25	2014-07-23 20:52:25
     61.147.103.185	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.185	2014-07-10 00:08:37	2014-07-24 00:08:37
     61.147.103.71	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.71	2014-07-10 00:23:50	2014-07-24 00:23:50
     193.107.17.72	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 193.107.17.72	2014-07-09 23:44:35	2014-07-23 23:44:35
     60.173.9.19	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 60.173.9.19	2014-07-10 01:57:40	2014-07-24 01:57:40
     116.10.191.163	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.163	2014-07-10 01:44:13	2014-07-24 01:44:13
     61.147.103.169	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.169	2014-07-10 03:26:02	2014-07-24 03:26:02
     61.174.51.194	30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.51.194
    question is, how can i allow only my country or my computer to access SSH root? This Brute Force Protection makes me unable to login to my own WHM and SSH.

    please advise.

    thanks.
     
  2. iserversupport

    iserversupport Well-Known Member

    Joined:
    Nov 4, 2013
    Messages:
    91
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You can do that using WHM using

    Security Center >> Host Access Control.

    There you can deny ssh for all IP except one.
     
  3. crliuh

    crliuh Member

    Joined:
    Jun 16, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks iserversupport.

    by any chance it can unblock just from the specified country's IP?
     
  4. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    crliuh,

    You can use csf ( default firewall ) to block the IPs from specified countries.
    In the csf configuration file ‘/etc/csf/csf.conf‘ there is an option to block access from an
    IP range by using country code.

    CC_DENY = ""

    Specify the country codes over there ^

    Use this link to find the allocations of IPs to countries and their
    codes.

    https://www.countryipblocks.net/allocation-of-ip-addresses-by-country.php

    Thankx
     
  5. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    crliuh,

    You can use csf ( default firewall ) to block the IPs from specified countries.
    In the csf configuration file ‘/etc/csf/csf.conf‘ there is an option to block access from an
    IP range by using country code.

    CC_DENY = ""

    Specify the country codes over there ^

    You can find the respective country codes and IPs using a quick google search.

    Thankx
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Keep in mind blocking or allowing entire countries with CSF creates a very large amount of iptables rules and may affect performance.

    I simply recommend changing your SSH port to a non-default port number. This stops the majority of random bruteforce scans on SSH. Alternately, you could close the SSH port in the firewall config and only whitelist the IP that you are working from. If you did this with CSF, you could always log in to WHM to whitelist a new IP through the configserver panel.

    Also, disable cphulk, it's not good for much other than locking you out of your own server.
     
  7. crliuh

    crliuh Member

    Joined:
    Jun 16, 2014
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    thanks triantech, another concern arised by AMquizknows, large amount of ip tables rules may affect performance. :confused:

    - - - Updated - - -

    because my ips are dynamic that's y i need to fixed the ip within the country range. the best option would be only authentic base from computers.

    if disabled cphulk there will be more login failed attempt. i don't think that's good for my server right?
     
  8. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    crliuh,

    A quick whois on the IPs which are attacking shows that they are from China. So i think instead of allowing
    country lists, try to block the IP's from China ( if you do not have any valid requests coming from there ).

    And yes, if the CC allow and CC deny list is filled with lotta countries, performance might get affected.

    Also, as quizknows suggested why not change the default SSH port and in addition, disable direct
    root login and create a su user.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    cPhulk doesn't block IPs, it only blocks targeted accounts, which is why it's basically worthless. Use CSF/LFD; it will block the attacking IP addresses without locking you out. If you have CSF, then cphulk is unnecessary; the most it's going to do is stop you from logging in during an attack.

    Changing your SSH port, and as traintech suggested, a su user with direct root login disabled, is a more reasonable and efficient solution than blocking or allowing entire countries worth of IP addresses.
     
    #9 quizknows, Jul 11, 2014
    Last edited: Jul 11, 2014
  10. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Just add this line in your file /etc/ssh/sshd_config :

    Code:
    AllowUsers root@you_rip_address_here
    
    After this only your IP address can access server via ssh (with root user)

    Regards
     
Loading...

Share This Page