The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force Cpanel/whm

Discussion in 'General Discussion' started by inda, Jan 4, 2006.

  1. inda

    inda Member

    Joined:
    Dec 28, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hello
    I have a problem with one of my server.
    The server has cpanel/whm installed but today it happened something that never happened.

    Apparently according to logs, they mounted attacks type brute force to cpanel/whm and as consequence the server does not hold the load of than 1200 processes originated more by that attack.

    What I could do is to close the ports: 2082,2083,2086,2087 used by cpanel/whm.
    Use apf and bfd.
    I put myself in contact with support of cpanel and they commented that it would be possible to be solved to me with some rule of firewall, but I do not have many knowledge in defined rules.

    Cpanel I comment that the ports cannot change.

    You they could give a solution me to this problem?

    I wait for its answer.

    == associate logs ==

    Thanks

    Logs:
    ======
    root 12396 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.48.68.185
    root 12397 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.48.68.185
    root 12398 10788 0 10:30 ? 00:00:00 cpaneld - serving 172.211.49.242
    root 12399 10788 0 10:30 ? 00:00:01 [cpsrvd] <defunct>
    root 12402 10788 0 10:30 ? 00:00:00 cpaneld - serving 86.197.92.1
    root 12403 10788 0 10:30 ? 00:00:01 cpaneld - serving 218.167.91.58
    root 12405 10788 0 10:30 ? 00:00:00 [cpsrvd] <defunct>
    root 12407 10788 0 10:30 ? 00:00:00 cpaneld - serving 218.167.91.58
    root 12408 10788 0 10:30 ? 00:00:00 cpaneld - serving 85.18.14.3
    root 12409 10788 0 10:30 ? 00:00:02 cpaneld - serving 82.229.221.235
    root 12411 10788 0 10:30 ? 00:00:00 cpaneld - serving 195.24.94.244
    root 12412 10788 0 10:30 ? 00:00:01 cpaneld - serving 200.117.220.236
    etc..
    etc..
    etc..
    etc..
    etc..
     
  2. inda

    inda Member

    Joined:
    Dec 28, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    It's kind of sad, I've been waiting for a while for CPanel to limit the number of processes / max (failed) logins per IP and be able to impliment some type of good brute security. It's WAY too easy to crack a cpanel box. Guess I should submit it to bugzilla... :rolleyes:
     
  4. xidica

    xidica Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    this is where really longass super uber complex passwords come in to play..but you're right
     
  5. xidica

    xidica Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    i've wrriten a perl daemon that takes a whitelist of IP's to ignore in a text file as an option, and continually logs cpsrvd process ID's, IP's, and timestamps to text file
    If a host is detected more than x times in x or fewer seconds, and the PID's differ of course, iptables drop the host...its a bit of a work in progress so I don't wanna just throw it up here cause it's not as polished as i'd ilke
     
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    If you have a static ip address you can always block WHM ports 2086/2087, and add your ip to the allow list in apf.

    This isn't an option for cpanel access ofcourse, so I agree, some sort of brute force protection would be nice. Even the forum (vbulletin) we're on right now has it! Now isn't a cpanel account a bit more important to protect than a forum account? ;)
     
  7. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Does it log the correct ip address when people log in through secure ports or does it show up as 127.0.0.1?
     
  8. xidica

    xidica Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    I'm actually revisiting the code right now since it's been so long since I've needed it but apparently there is demand for it(I don't run cPanel personally)...You are correct in regards to the SSL thing but now that I think of it wouldn't be hard for me to get that working as well(since stunnel simply forwards the request to cpsrvd), so I can grab the IP's for secure via netstat output. To think of it this is a better way for me to go about it. Unfortunately I don't have any test bed cPanel machine available to me right now and I'd ultimately like it to work on BSD as well as Linux...I'll just have to rewrite the code this as well as I can without a cPanel box laying around and test it when I get back to work and have time to play around on a test box...
     
  9. xidica

    xidica Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    If someone could PM me or post the output of the following commands while stunnel is serving someone as well as when non-encrypted cpsrvd is serving an IP for login :

    netstat -atnp | grep "2086\|2087"

    It'd be much appreciated and obviously feel free to censor IP's, process ID's, ports or whatever else you feel like....it'd help me go forward with this a bit better.
    alright i've got the output ... does anyone have an approximate time-frame between how long the stunnel process stays listening on the server IP 2087 before the local connection starts from stunnel to 127.0.0.1 ? Thanks!
     
    #9 xidica, Apr 1, 2006
    Last edited: Apr 1, 2006
Loading...

Share This Page