The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force

Discussion in 'Security' started by jeck, Nov 11, 2009.

  1. jeck

    jeck Member

    Joined:
    Mar 23, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    One particular email account on my server is being brute force attacked for several days now ... It just doesn't stop ...

    cPHulk is showing all the failed logins, some ip's are being blocked;
    Have manually blocked some ip's via iptables;
    Have installed csf and lfd that is also blocking some ip's.

    The problem is that in a period of 5 minutes there are hundreds of different ip's trying to login to this mail account, the majority aren't even blocked because they only make 1 or 2 attemps and then change ...

    Any suggestions? How can I stop it?
    Thank you!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I know this is not what you want to hear, but killing the account might be one way to go.
     
  3. jeck

    jeck Member

    Joined:
    Mar 23, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Definitely not what I wanted to hear :)

    You think it's possible to block all Ip's trying to login to this mail account and only allow the user IP (without affecting other users and accounts)?

    I'll try to kill temporarily the account during night, to see if they change their mind and stop.

    Thank you Infopro!
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Use of firewall, such as what ramprage suggested, may help to further protect the server by blocking access attempts at an earlier stage before they can reach the daemons involved. If the IP changes frequently or is not in a blacklist (such as what some iptables wrapper scripts offer like CSF and APF) then other measures would need to be taken as described below.

    Making good use of available security features is an excellent way to reduce the likelihood of issues occurring. In addition to using cPHulk, I recommend ensuring that all users are able to set only complex passwords, such as an alphanumeric password, with special characters, and varying the use of uppercase and lowercase letters; an easy way to ensure users must set more complex passwords is to set a default minimum password strength via the Security Center in WHM, as seen below:
    WHM: Main >> Security >> Security Center >> Password Strength Configuration
    Documentation: Define a Minimum Password Strength < AllDocumentation/WHMDocs < TWiki

    I would also consider using SSH keys for authentication when accessing SSH and disable password authentication; this may be setup via WHM at the following menu path:
    WHM: Main >> Security >> Security Center >> SSH Password Auth Tweak
    Documentation: Tweak SSH Authentication < AllDocumentation/WHMDocs < TWiki

    If disabling password authentication, please ensure to have an SSH key created so that SSH access can still be used:

    For root:
    WHM: Main >> Security >> Manage SSH Keys
    Documentation: Manage SSH Keys < AllDocumentation/WHMDocs < TWiki

    For resellers and end-users:
    cPanel: Security >> SSH/Shell Access >> Manage SSH Keys
    Documentation: SSH/Shell Access < AllDocumentation/CpanelDocs < TWiki
     
    Infopro likes this.
Loading...

Share This Page