cPHulk failed mail login

jnicol

Member
Nov 7, 2013
7
0
1
cPanel Access Level
Root Administrator
I've recently set up my first VPS, which is running cPHulk, and cPHulk has reported several failed login attempts:

Code:
5 failed login attempts to account [email protected] (mail) -- Large number of attempts from this IP: xxx.xxx.xxx.xxx
I imagine this is just a run of the mill thing, but as I'm new to server administration I don't want to ignore any potential security holes!

Based on cPHulk's report, does this sound like a benign or a malicious intrusion? Is it anything I need to be concerned about?

Do I need to take any further action, other than blacklisting the intruder's IP in cPHulk?

Lastly, is there any significance to the username [email protected]?

Thanks for any advice.
 

ravi9

Well-Known Member
Oct 31, 2013
65
1
6
India
cPanel Access Level
Website Owner
Its common when you have many websites or few famous websites on your server.
Install CSF firewall (if you don't have on your server).

Using CSF firewall, you can block IP range.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16
 

jnicol

Member
Nov 7, 2013
7
0
1
cPanel Access Level
Root Administrator
Install CSF firewall (if you don't have on your server).

Using CSF firewall, you can block IP range.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16
It's reassuring to hear that these sort of attempts are normal and not something to be concerned about.

Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already :)
 

ravi9

Well-Known Member
Oct 31, 2013
65
1
6
India
cPanel Access Level
Website Owner
Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already :)
CSF by default will not block IP range. It will only block one IP at one time.

If you are getting repeated alert mails from particular IP range, better block complete IP range manually in CSF firewall.
Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16

I also follow this rule on my server :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

I would be cautious of blocking an entire range based on a single cPhulkd notification. It's possible that it could be a legitimate user that forgot their password, and blocking an entire range could lead to them being blocked from the entire server.

Thank you.
 

jnicol

Member
Nov 7, 2013
7
0
1
cPanel Access Level
Root Administrator
Well in this case I'm the only user, so it's definitely not legitimate! But I hear what you're saying, and perhaps a good policy would be to block the single IP, and only block the range if there is another attempt from the same range.