The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force Attack Using Specific Server Services Usernames

Discussion in 'Security' started by simcomedia, Dec 23, 2014.

  1. simcomedia

    simcomedia Registered

    Joined:
    Apr 16, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Greetings. I'm looking for some help regarding brute force attacks that specify certain usernames associated with the server's various services. For example, for the past 24 hours some a**hole has been continually trying to log in to these usernames:

    vyatta
    PIcmSpIp
    ubnt

    Nothing else, just those three. But, repeatedly every few minutes over the past 24 hours and using different IP's through proxy servers around the globe for each one. So, blocking the IP is worthless against this and so is blocking the country.

    I have CPHulk Brute Force protection activated which is catching all these. Plus, CSF installed as well.

    I'm a believer in preventive tactics. This is the not the first attempt at some of these server services but it is the most consistent. While writing this I just received two more notifications:

    5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 85.25.195.189

    Reverse DNS: astra1636.startdedicated.net

    Origin Country: Germany (DE)

    5 failed login attempts to account ubnt (system) -- Large number of attempts from this IP: 207.106.176.151 Origin Country: United States (US)

    As you can see, same username attempted but completely different sources. These came 2 minutes apart.

    My questions is this. Is there a way via modsecurity rules or other method to immediate 'ban' someone who attempts to log in under those names regardless of the number of attempts? Essentially a 'rule' that would detect that as a protected username and immediately throw a 401 page?

    Or, some other example of how we can make it less worthwhile for these bozos to keep trying? As it is right now, there's nothing stopping this guy from just continuing forever. It's obvious he's running some automated program (most likely) but if he keeps getting slammed with 401's then maybe (hopefully) he'll move on to someone else.

    Is there such a thing? Any help would be GREATLY appreciated! Thanks in advance.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Since "system" usually means SSH, there's nothing to do with modsecurity unfortunately. If they were trying to log into your web applications with bogus usernames, that's something ModSecurity can help with.

    If the usernames don't exist on the system, it's really just an annoyance at that point. As long as you can still access your server(s) and it's not causing excess load on them, I'd just let cphulk and csf do their thing. It's probably just an automated botnet, I wouldn't lose any sleep over it.
     
  3. simcomedia

    simcomedia Registered

    Joined:
    Apr 16, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your response! I pretty much felt the same way, that it's just some bot bouncing around until it runs its course. However, I can't help but think that somehow some way they'll eventually have success even though the possibility is unlikely. Call it paranoia as we've been successfully hacked before and it sucked royally.

    So, if there's no real way to protect the 'system' with the exceptions of brute force prevention, CSF and also we've deployed the Host Access Control in WHM, then we'll just have to let those do the work.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,808
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page