brute forcing all accounts

daveyb17

Member
Apr 29, 2013
9
0
1
cPanel Access Level
Root Administrator
Hi all,

I am pretty new to this so i might be worrying about nothing.

I can see in my login_log file that certain IP's are trying to brute force in to accounts. While i am new to this i know this is very common and "part and parcel" of running a web server.

The issue i have is coming from several IP's that are systematically trying to brute force every username from cpanel.
they are attempting to brute force them 3 times each then move on to the next. So ok someones trying to find a weak password, nothing out of the ordinary, but my concern is they are going through each username on the server and i mean EACH and EVERY username, they are not missing a single one out.

most of the other brute force attacks are directed at either a single user account or the root account, Is this something to be concerned about?

any info would be of great help.

Thanks.

Dave
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

You should ensure a firewall such as CSF is installed to help prevent the brute force attempts. In addition, you can enable cPhulk brute force protection as an additional security measure. It's difficult to say how exactly the usernames on your system were discovered. The "Security Advisor" is a good place to start in order to determine methods to increase the overall security of the server:

"WHM Home » Security Center » Security Advisor"

However, you may also want to consult with a qualified security specialist to have you server's security audited.

Thank you.
 

daveyb17

Member
Apr 29, 2013
9
0
1
cPanel Access Level
Root Administrator
Hi Michael,

Cheers for the feed back it's very much appreciated.

I have CSF and cPHulk installed/enabled already i am having a bit of a problem with Jail Apache i have it enabled but the security adviser thinks it's disabled (i'll look further into this myself).

However, you may also want to consult with a qualified security specialist to have you server's security audited.
by this i take it the usernames should not be being hit like they are and this is out of the ordinary.

cheers
Dave
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
I concur with this. Start with a clamAV and/or Maldet scan of all the public_html directories on your server and go from there.