The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best course of action when root account is being forced?

Discussion in 'General Discussion' started by kbuser, Oct 1, 2009.

  1. kbuser

    kbuser Well-Known Member

    Joined:
    Aug 25, 2008
    Messages:
    66
    Likes Received:
    2
    Trophy Points:
    8
    You could always disable password entry and use a RSA key to login.

    Also, at the firewall level you could disable everything on the SSH port unless it comes from an allowed list of IPs.
     
    #1 kbuser, Oct 1, 2009
    Last edited: Oct 1, 2009
  2. kre8web

    kre8web Active Member

    Joined:
    Aug 11, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    For the past few days we've been getting a very large number of "Large Number of Failed Login Attempts to the root account" emails from WHM every few minutes, all from different IP's/rdns. Is there any suggested course of action to take or do we simply wait out the attack?

    Thankyou in advance :)
     
  3. Kevinfrom

    Kevinfrom Well-Known Member

    Joined:
    Jan 18, 2008
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    You can also change the default SSH Port to something else and also restrict logins using /etc/hosts.allow to only allow certain IP's to login SSH.
     
  4. kre8web

    kre8web Active Member

    Joined:
    Aug 11, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the advice so far, i would like togo the whitelisting IP route however i have some concerns in that my IP address isnt static. For example if for some reason i was unable to connect via normal IP range and had to use a backup ISP, then would i essentialy be totaly locked out of the system?
     
  5. d_t

    d_t Well-Known Member

    Joined:
    Sep 20, 2003
    Messages:
    243
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Bucharest
    You can use csf firewall to restrict ssh access and in case you're locked out, you can connect on WHM and whitelist your IP.
     
  6. kre8web

    kre8web Active Member

    Joined:
    Aug 11, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thank you all for the advice so far, i plan on implementing a number of the suggestions. However currently i'm faced with a problem that, having not previously whitelisted my IP in WHM, im currently locked out of both SSH and WHM and hence cant flush the cphulk databse.

    Is all i can do is wait out the attack until such a time that i can login in again via root? Or would rebooting the server at the DC flush the cphulk database?

    Cheers :)
     
Loading...

Share This Page