Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Brute force username question

Discussion in 'Security' started by jonh, Mar 8, 2016.

  1. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    86
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    Hello, I have a new server created in the last few days and it has cphulk on and working. I received an email from cphulk, basically it was cphulk blocking a brute force attempt against FTP using one of the account usernames. The username is not standard, it's a not something they could guess.

    I'm wondering how they would even know this username exists?

    (Channel already responded to my ticket saying audit the logs, but wondering if community has any other info.)
     
    #1 jonh, Mar 8, 2016
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    It's difficult to say exactly how the guess on the username occurred. Is it possible the username was utilized by a user with a hacked workstation? Or, do you notice any other entries in /var/log/messages where the attempt to guess the FTP username materialized?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Mar 8, 2016
  3. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    86
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    "Is it possible the username was utilized by a user with a hacked workstation?"
    Since the server was built I've used FTP 2 times, on two different accounts. The cphulk FTP notifications have been coming steady since the server was turned on. Most of the notifications are for easily guessed names. Nothing has materialized. Anyway to turn off FTP and use Ssh/SFTP?
     
    #3 jonh, Mar 8, 2016
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can disable FTP via:

    "WHM >> FTP Server Selection"

    However, note there is no replacement in the cPanel interface to create virtual SFTP accounts.

    Thank you
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Mar 8, 2016
  5. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    86
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    I'm getting like 100 Brute Force attempt against pure-ftp each day. Do I worry about this, just turn off the notifications or shut down pure-ftp when not in use?
     
    #5 jonh, Mar 10, 2016
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Have you installed a firewall management application such as CSF to help block these types of brute force attacks?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelMichael, Mar 10, 2016
  7. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    86
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    YES, it's sending me the notifications.
     
    #7 jonh, Mar 10, 2016
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    If the attack is coming from different IP addresses each time, then you may want to disable FTP and require users to utilize SFTP with the cPanel account username. Or, you could switch to ProFTPD and utilize the host access control option to restrict FTP access to specific IP addresses:

    Host Access Control - Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelMichael, Mar 10, 2016
  9. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    86
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    Thank you for both solutions! Do you have any additional info on how to do this part: "disable FTP and require users to utilize SFTP"?
     
    #9 jonh, Mar 10, 2016
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,009
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    The suggestion was based on your earlier question:

    You can disable FTP via:

    "WHM Home » Service Configuration » FTP Server Selection"

    However, note that users will not be able to create virtual FTP accounts via cPanel. Instead, they will need to use a FTP client that supports SFTP and access it via their cPanel username:

    How to Configure Your SFTP Client - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelMichael, Mar 10, 2016
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,209
    Likes Received:
    77
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    jonh.

    first thing i would do would be to install CSF, it's a free firewall, and provided you choose the correct options will work straight out of the box.

    Additional things like utilising Host Access Control.
    You add a list of IP's that you trust to use SSH, FTP and a few other services, and an entry right at the end that says deny all services to all users.
    If you're allocated dynamic IP's then you might have to allow a few subnets, eg 123.456.0.0/16 and 123.678.0.0/16, but this would essentially kill any attempt to ftp in, unless you're in the whitelist.
    You would need to ensure that you have a few ways to get in yourself though. Work, Home, Parents etc, and also maybe your Host Provider.
     
    #11 keat63, Mar 13, 2016
(You must log in or sign up to post here.)
Loading...
Similar Threads - Brute force username
  1. aeroweb

    Stop brute force email logins?

    aeroweb, Apr 20, 2019, in forum: E-mail Discussion
    Replies:
    6
    Views:
    447
    cPanelLauren
    Apr 24, 2019
  2. ard.alberto

    Limit number of brute force emails?

    ard.alberto, Apr 10, 2019, in forum: Security
    Replies:
    8
    Views:
    417
    cPanelLauren
    Apr 12, 2019
  3. Frankenstone

    Over 20.000 Bruteforce Login attempts in one night?

    Frankenstone, Jan 12, 2019, in forum: Security
    Replies:
    6
    Views:
    356
    cPanelMichael
    Jan 14, 2019
  4. joaosavioli

    Brute force wp-login.php modsecurity

    joaosavioli, Sep 4, 2018, in forum: General Discussion
    Replies:
    4
    Views:
    899
    cPanelLauren
    Sep 5, 2018
  5. aboyz

    How to prevent host from bruteforce?

    aboyz, Jul 13, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    413
    cPanelLauren
    Jul 16, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice