The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

brute forcing all accounts

Discussion in 'Security' started by daveyb17, Jan 2, 2014.

  1. daveyb17

    daveyb17 Member

    Joined:
    Apr 29, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi all,

    I am pretty new to this so i might be worrying about nothing.

    I can see in my login_log file that certain IP's are trying to brute force in to accounts. While i am new to this i know this is very common and "part and parcel" of running a web server.

    The issue i have is coming from several IP's that are systematically trying to brute force every username from cpanel.
    they are attempting to brute force them 3 times each then move on to the next. So ok someones trying to find a weak password, nothing out of the ordinary, but my concern is they are going through each username on the server and i mean EACH and EVERY username, they are not missing a single one out.

    most of the other brute force attacks are directed at either a single user account or the root account, Is this something to be concerned about?

    any info would be of great help.

    Thanks.

    Dave
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You should ensure a firewall such as CSF is installed to help prevent the brute force attempts. In addition, you can enable cPhulk brute force protection as an additional security measure. It's difficult to say how exactly the usernames on your system were discovered. The "Security Advisor" is a good place to start in order to determine methods to increase the overall security of the server:

    "WHM Home » Security Center » Security Advisor"

    However, you may also want to consult with a qualified security specialist to have you server's security audited.

    Thank you.
     
  3. daveyb17

    daveyb17 Member

    Joined:
    Apr 29, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Cheers for the feed back it's very much appreciated.

    I have CSF and cPHulk installed/enabled already i am having a bit of a problem with Jail Apache i have it enabled but the security adviser thinks it's disabled (i'll look further into this myself).

    by this i take it the usernames should not be being hit like they are and this is out of the ordinary.

    cheers
    Dave
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I concur with this. Start with a clamAV and/or Maldet scan of all the public_html directories on your server and go from there.
     
Loading...

Share This Page