brute forcing all accounts

D

daveyb17

Member
Apr 29, 2013
9
0
1
cPanel Access Level
Root Administrator
Hi all,

I am pretty new to this so i might be worrying about nothing.

I can see in my login_log file that certain IP's are trying to brute force in to accounts. While i am new to this i know this is very common and "part and parcel" of running a web server.

The issue i have is coming from several IP's that are systematically trying to brute force every username from cpanel.
they are attempting to brute force them 3 times each then move on to the next. So ok someones trying to find a weak password, nothing out of the ordinary, but my concern is they are going through each username on the server and i mean EACH and EVERY username, they are not missing a single one out.

most of the other brute force attacks are directed at either a single user account or the root account, Is this something to be concerned about?

any info would be of great help.

Thanks.

Dave
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello :)

You should ensure a firewall such as CSF is installed to help prevent the brute force attempts. In addition, you can enable cPhulk brute force protection as an additional security measure. It's difficult to say how exactly the usernames on your system were discovered. The "Security Advisor" is a good place to start in order to determine methods to increase the overall security of the server:

"WHM Home » Security Center » Security Advisor"

However, you may also want to consult with a qualified security specialist to have you server's security audited.

Thank you.
 
D

daveyb17

Member
Apr 29, 2013
9
0
1
cPanel Access Level
Root Administrator
Hi Michael,

Cheers for the feed back it's very much appreciated.

I have CSF and cPHulk installed/enabled already i am having a bit of a problem with Jail Apache i have it enabled but the security adviser thinks it's disabled (i'll look further into this myself).

However, you may also want to consult with a qualified security specialist to have you server's security audited.
Click to expand...
by this i take it the usernames should not be being hit like they are and this is out of the ordinary.

cheers
Dave
 
Q

quietFinn

Well-Known Member
Feb 4, 2006
2,020
541
493
Finland
cPanel Access Level
Root Administrator
It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
 
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
quietFinn said:
It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
Click to expand...
I concur with this. Start with a clamAV and/or Maldet scan of all the public_html directories on your server and go from there.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
T Brute force detection Security 3
F High CPU from queueprocd - process - block_brute_force & /usr/sbin/nft --json list ruleset Security 3
Duplika In Progress CPANEL-40545 - No brute force protection detected while Imunify360 active Security 17
M Very high CPU loads from brute force attempts - CSF/LFD Security 14
E SOLVED Too many messages Brute Force - Excessive number of failed login attempts Security 11
Similar threads
Brute force detection
High CPU from queueprocd - process - block_brute_force & /usr/sbin/nft --json list ruleset
In Progress CPANEL-40545 - No brute force protection detected while Imunify360 active
Very high CPU loads from brute force attempts - CSF/LFD
SOLVED Too many messages Brute Force - Excessive number of failed login attempts
Top Bottom