The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk failed mail login

Discussion in 'Security' started by jnicol, Nov 8, 2013.

  1. jnicol

    jnicol Member

    Joined:
    Nov 7, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've recently set up my first VPS, which is running cPHulk, and cPHulk has reported several failed login attempts:

    Code:
    5 failed login attempts to account users@192 (mail) -- Large number of attempts from this IP: xxx.xxx.xxx.xxx
    
    I imagine this is just a run of the mill thing, but as I'm new to server administration I don't want to ignore any potential security holes!

    Based on cPHulk's report, does this sound like a benign or a malicious intrusion? Is it anything I need to be concerned about?

    Do I need to take any further action, other than blacklisting the intruder's IP in cPHulk?

    Lastly, is there any significance to the username users@192?

    Thanks for any advice.
     
  2. ravi9

    ravi9 Well-Known Member

    Joined:
    Oct 31, 2013
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Website Owner
    Its common when you have many websites or few famous websites on your server.
    Install CSF firewall (if you don't have on your server).

    Using CSF firewall, you can block IP range.
    Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16
     
  3. jnicol

    jnicol Member

    Joined:
    Nov 7, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    It's reassuring to hear that these sort of attempts are normal and not something to be concerned about.

    Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already :)
     
  4. ravi9

    ravi9 Well-Known Member

    Joined:
    Oct 31, 2013
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Website Owner
    CSF by default will not block IP range. It will only block one IP at one time.

    If you are getting repeated alert mails from particular IP range, better block complete IP range manually in CSF firewall.
    Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16

    I also follow this rule on my server :)
     
  5. jnicol

    jnicol Member

    Joined:
    Nov 7, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'll make sure to block the range manually in CSF. Thanks for the tip!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I would be cautious of blocking an entire range based on a single cPhulkd notification. It's possible that it could be a legitimate user that forgot their password, and blocking an entire range could lead to them being blocked from the entire server.

    Thank you.
     
  7. jnicol

    jnicol Member

    Joined:
    Nov 7, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Well in this case I'm the only user, so it's definitely not legitimate! But I hear what you're saying, and perhaps a good policy would be to block the single IP, and only block the range if there is another attempt from the same range.
     
Loading...

Share This Page