The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk / csf /lfd sending multiple warnings

Discussion in 'Security' started by imacurious, Mar 27, 2012.

  1. imacurious

    imacurious Member

    Joined:
    Mar 9, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Using WHM 11.30.6 (build 6) on CENTOS 5.8 i686

    Am using cPHulk and csf to help secure this system.
    See image for my cPHulk settings.

    When I get attacked, the attacking IP address correctly gets added to the IP deny file after the 5th invalid login attempt, and I receive a warning e-mail notifying me of the attempted break-in.

    The body of the warning e-mail looks like this:

    Time: Mon Mar 26 21:42:29 2012 -0400
    IP: 119.161.162.185 (CN/China/-)
    Failures: 5 (sshd)
    Interval: 300 seconds
    Blocked: Permanent Block

    Log entries:
    Mar 26 21:42:12 vps sshd[30212]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
    Mar 26 21:42:13 vps sshd[30226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
    Mar 26 21:42:14 vps sshd[30212]: Failed password for root from 119.161.162.185 port 38809 ssh2
    Mar 26 21:42:15 vps sshd[30226]: Failed password for root from 119.161.162.185 port 51947 ssh2
    Mar 26 21:42:17 vps sshd[30337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root


    But all too often I will continue to receive warning e-mails for the same IP address.
    Yesterday I got 189 warning e-mails in a row - over a 34 minute span - for the same IP address continuing to attack me. Each warning e-mail references 5 different attacks, so in aggregate I was warned about nearly 1000 separate attempts to login as root. See the attached jpg as an example.

    Is there any way to ensure that once the offending IP address is added to the IP deny file, that I receive only one warning e-mail, and not multiple warning messages?
     

    Attached Files:

  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Are these emails from lfd? I ask as the image provided appears to be a list of lfd alert messages.
     
Loading...

Share This Page