cPHulk failed mail login

jnicol · Nov 8, 2013

I've recently set up my first VPS, which is running cPHulk, and cPHulk has reported several failed login attempts:

Code:

5 failed login attempts to account [email protected] (mail) -- Large number of attempts from this IP: xxx.xxx.xxx.xxx

I imagine this is just a run of the mill thing, but as I'm new to server administration I don't want to ignore any potential security holes!

Based on cPHulk's report, does this sound like a benign or a malicious intrusion? Is it anything I need to be concerned about?

Do I need to take any further action, other than blacklisting the intruder's IP in cPHulk?

Lastly, is there any significance to the username [email protected]?

Thanks for any advice.

ravi9 · Nov 9, 2013

Its common when you have many websites or few famous websites on your server.
Install CSF firewall (if you don't have on your server).

Using CSF firewall, you can block IP range.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16

jnicol · Nov 9, 2013

ravi9 said:
Install CSF firewall (if you don't have on your server).

Using CSF firewall, you can block IP range.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16

It's reassuring to hear that these sort of attempts are normal and not something to be concerned about.

Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already

ravi9 · Nov 9, 2013

jnicol said:
Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already

CSF by default will not block IP range. It will only block one IP at one time.

If you are getting repeated alert mails from particular IP range, better block complete IP range manually in CSF firewall.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16

I also follow this rule on my server

jnicol · Nov 10, 2013

ravi9 said:
CSF by default will not block IP range. It will only block one IP at one time.

I'll make sure to block the range manually in CSF. Thanks for the tip!

cPanelMichael · Nov 11, 2013

Hello

I would be cautious of blocking an entire range based on a single cPhulkd notification. It's possible that it could be a legitimate user that forgot their password, and blocking an entire range could lead to them being blocked from the entire server.

Thank you.

jnicol · Nov 11, 2013

Well in this case I'm the only user, so it's definitely not legitimate! But I hear what you're saying, and perhaps a good policy would be to block the single IP, and only block the range if there is another attempt from the same range.

Thread starter	Similar threads	Forum	Replies	Date
C	How to export all failed IPs from cpHulk into txt/csv?	Security	2	Jan 28, 2022
R	SOLVED [CPANEL-25503] cPHulk is one-day blocking whitelisted address for maximum failed authentications	Security	6	Mar 26, 2019
B	SOLVED cpHulk failed attempts list is now permanently empty?	Security	12	Sep 28, 2018
	cPHulk Failed Login Emails	Security	1	Nov 29, 2016
G	large cPHulk failed login attemps	Security	3	Jun 7, 2014

Search

Search

cPHulk failed mail login

jnicol

Member

ravi9

Well-Known Member

jnicol

Member

ravi9

Well-Known Member

jnicol

Member

cPanelMichael

Administrator

jnicol

Member