The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel login attack - login_only=1

Discussion in 'Security' started by theallan, Dec 3, 2015.

  1. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    I have a domain on my CPanel server which is fronted by CloudFlare and I recently noticed that sometimes the page cannot be loaded as CloudFlare cannot contact the host server. The CloudFlare IPs are whitelisted in the firewall, but it turns out that there were a large number of login attempts coming through CloudFlare, which were failing, then cphulk would eventually block the IP, resulting is the issue I was seeing.

    This is a line from /usr/local/cpanel/logs/login_log:

    [2015-11-13 17:07:14 +0000] info [cpsrvd] 162.158.153.107 - username "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user username (loadcpdata failed)​

    I don't know what domain that login attempt is hitting - only the "GET" part of the URL (URI?). It must be a domain name rather than direct IP access since it is coming from CloudFlare (presumably being routed through it).

    Is there anything I can do to stop this?

    Thanks,
    Allan
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    Yes, sorry I wasn't clear. I know I can white list the IPs and have done so that the domain isn't blocked. However, my question is more about the fact that the site is obviously under some kind of probing attack. Whitelisting IPs from where an attack doesn't seem like a particularly good idea - is there something I can do that offers a bit more refinement?
     
  4. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    Sorry to bump this - but does anyone have any ideas? I just don't like the idea of whitelisting something that is is known to send an attack, but there doesn't appear to be many options.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Unclear on the issue here.
    The login failed according to that.
     
  6. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    The issue is that someone is attempting a brute force attack. cphulk is blocking that, but I can't allow it to block the attack since it would block all CloudFlare users coming from that CloudFlare IP.

    So in effect there is no brute force protection in this setup. The log in did fail (and will continue to fail if they use the user name they are currently attempting it with), but at some point they might get lucky...

    If there is no option here, then so be it, but if there is something that can be done, I'd like to do so.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    :) They said it was one for cPanel.

    Can I simply block the URL that they are attempting to log into? I don't think that is a service I use myself... (might be wrong!) As I say, I don't even know what domain or port it is being accessed on - the log doesn't give that information.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The system is already blocking these requests to login. The domain doesn't matter here so much, the cPanel account is not the domain of the account, its the server itself. Domain.com/cpanel is your.server.com The port being used is the same on every cPanel login. 2083 for secure, 2082 for non secure login.

    Why is CloudFlare attacking me?
     
  10. theallan

    theallan Active Member

    Joined:
    Nov 17, 2005
    Messages:
    32
    Likes Received:
    1
    Trophy Points:
    8
    Super - thank you for the information :)
     
    Infopro likes this.
Loading...

Share This Page