Brute force username question

jonh

Well-Known Member
Feb 15, 2016
86
5
8
NY
cPanel Access Level
Root Administrator
Hello, I have a new server created in the last few days and it has cphulk on and working. I received an email from cphulk, basically it was cphulk blocking a brute force attempt against FTP using one of the account usernames. The username is not standard, it's a not something they could guess.

I'm wondering how they would even know this username exists?

(Channel already responded to my ticket saying audit the logs, but wondering if community has any other info.)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
I'm wondering how they would even know this username exists?
Hello :)

It's difficult to say exactly how the guess on the username occurred. Is it possible the username was utilized by a user with a hacked workstation? Or, do you notice any other entries in /var/log/messages where the attempt to guess the FTP username materialized?

Thank you.
 

jonh

Well-Known Member
Feb 15, 2016
86
5
8
NY
cPanel Access Level
Root Administrator
"Is it possible the username was utilized by a user with a hacked workstation?"
Since the server was built I've used FTP 2 times, on two different accounts. The cphulk FTP notifications have been coming steady since the server was turned on. Most of the notifications are for easily guessed names. Nothing has materialized. Anyway to turn off FTP and use Ssh/SFTP?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Anyway to turn off FTP and use Ssh/SFTP?
You can disable FTP via:

"WHM >> FTP Server Selection"

However, note there is no replacement in the cPanel interface to create virtual SFTP accounts.

Thank you
 

jonh

Well-Known Member
Feb 15, 2016
86
5
8
NY
cPanel Access Level
Root Administrator
I'm getting like 100 Brute Force attempt against pure-ftp each day. Do I worry about this, just turn off the notifications or shut down pure-ftp when not in use?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
New I'm getting like 100 Brute Force attempt against pure-ftp each day. Do I worry about this, just turn off the notifications or shut down pure-ftp when not in use?
Have you installed a firewall management application such as CSF to help block these types of brute force attacks?

Thank you.
 

jonh

Well-Known Member
Feb 15, 2016
86
5
8
NY
cPanel Access Level
Root Administrator
Thank you for both solutions! Do you have any additional info on how to do this part: "disable FTP and require users to utilize SFTP"?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363

keat63

Well-Known Member
Nov 20, 2014
1,894
248
93
cPanel Access Level
Root Administrator
jonh.

first thing i would do would be to install CSF, it's a free firewall, and provided you choose the correct options will work straight out of the box.

Additional things like utilising Host Access Control.
You add a list of IP's that you trust to use SSH, FTP and a few other services, and an entry right at the end that says deny all services to all users.
If you're allocated dynamic IP's then you might have to allow a few subnets, eg 123.456.0.0/16 and 123.678.0.0/16, but this would essentially kill any attempt to ftp in, unless you're in the whitelist.
You would need to ensure that you have a few ways to get in yourself though. Work, Home, Parents etc, and also maybe your Host Provider.