Using WHM 11.30.6 (build 6) on CENTOS 5.8 i686
Am using cPHulk and csf to help secure this system.
See image for my cPHulk settings.
When I get attacked, the attacking IP address correctly gets added to the IP deny file after the 5th invalid login attempt, and I receive a warning e-mail notifying me of the attempted break-in.
The body of the warning e-mail looks like this:
Time: Mon Mar 26 21:42:29 2012 -0400
IP: 119.161.162.185 (CN/China/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Mar 26 21:42:12 vps sshd[30212]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
Mar 26 21:42:13 vps sshd[30226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
Mar 26 21:42:14 vps sshd[30212]: Failed password for root from 119.161.162.185 port 38809 ssh2
Mar 26 21:42:15 vps sshd[30226]: Failed password for root from 119.161.162.185 port 51947 ssh2
Mar 26 21:42:17 vps sshd[30337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
But all too often I will continue to receive warning e-mails for the same IP address.
Yesterday I got 189 warning e-mails in a row - over a 34 minute span - for the same IP address continuing to attack me. Each warning e-mail references 5 different attacks, so in aggregate I was warned about nearly 1000 separate attempts to login as root. See the attached jpg as an example.
Is there any way to ensure that once the offending IP address is added to the IP deny file, that I receive only one warning e-mail, and not multiple warning messages?
Am using cPHulk and csf to help secure this system.
See image for my cPHulk settings.
When I get attacked, the attacking IP address correctly gets added to the IP deny file after the 5th invalid login attempt, and I receive a warning e-mail notifying me of the attempted break-in.
The body of the warning e-mail looks like this:
Time: Mon Mar 26 21:42:29 2012 -0400
IP: 119.161.162.185 (CN/China/-)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
Mar 26 21:42:12 vps sshd[30212]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
Mar 26 21:42:13 vps sshd[30226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
Mar 26 21:42:14 vps sshd[30212]: Failed password for root from 119.161.162.185 port 38809 ssh2
Mar 26 21:42:15 vps sshd[30226]: Failed password for root from 119.161.162.185 port 51947 ssh2
Mar 26 21:42:17 vps sshd[30337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.161.162.185 user=root
But all too often I will continue to receive warning e-mails for the same IP address.
Yesterday I got 189 warning e-mails in a row - over a 34 minute span - for the same IP address continuing to attack me. Each warning e-mail references 5 different attacks, so in aggregate I was warned about nearly 1000 separate attempts to login as root. See the attached jpg as an example.
Is there any way to ensure that once the offending IP address is added to the IP deny file, that I receive only one warning e-mail, and not multiple warning messages?
