Brute Force Attack Using Specific Server Services Usernames


Apr 16, 2007
Greetings. I'm looking for some help regarding brute force attacks that specify certain usernames associated with the server's various services. For example, for the past 24 hours some a**hole has been continually trying to log in to these usernames:


Nothing else, just those three. But, repeatedly every few minutes over the past 24 hours and using different IP's through proxy servers around the globe for each one. So, blocking the IP is worthless against this and so is blocking the country.

I have CPHulk Brute Force protection activated which is catching all these. Plus, CSF installed as well.

I'm a believer in preventive tactics. This is the not the first attempt at some of these server services but it is the most consistent. While writing this I just received two more notifications:

5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP:

Reverse DNS:

Origin Country: Germany (DE)

5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: Origin Country: United States (US)

As you can see, same username attempted but completely different sources. These came 2 minutes apart.

My questions is this. Is there a way via modsecurity rules or other method to immediate 'ban' someone who attempts to log in under those names regardless of the number of attempts? Essentially a 'rule' that would detect that as a protected username and immediately throw a 401 page?

Or, some other example of how we can make it less worthwhile for these bozos to keep trying? As it is right now, there's nothing stopping this guy from just continuing forever. It's obvious he's running some automated program (most likely) but if he keeps getting slammed with 401's then maybe (hopefully) he'll move on to someone else.

Is there such a thing? Any help would be GREATLY appreciated! Thanks in advance.


Well-Known Member
Oct 20, 2009
cPanel Access Level
DataCenter Provider
Since "system" usually means SSH, there's nothing to do with modsecurity unfortunately. If they were trying to log into your web applications with bogus usernames, that's something ModSecurity can help with.

If the usernames don't exist on the system, it's really just an annoyance at that point. As long as you can still access your server(s) and it's not causing excess load on them, I'd just let cphulk and csf do their thing. It's probably just an automated botnet, I wouldn't lose any sleep over it.


Apr 16, 2007
Thanks for your response! I pretty much felt the same way, that it's just some bot bouncing around until it runs its course. However, I can't help but think that somehow some way they'll eventually have success even though the possibility is unlikely. Call it paranoia as we've been successfully hacked before and it sucked royally.

So, if there's no real way to protect the 'system' with the exceptions of brute force prevention, CSF and also we've deployed the Host Access Control in WHM, then we'll just have to let those do the work.