cPHulk reports many failed login attempts

[cowboymike]

Hi,
I am not a system admin. I have a managed VPS.

I have 2 personal websites on the vps. I do not resell so its just me and the tmzvps who need access.

I have cPHulk set up. I have no idea as to what the best practices settings are for this.

I have csf firewall csf v6.37 enabled and running. I do not know what the settings should be.

I am getting a large amount of emails from cPHulk w/ regard to failed login attempts.

Can some one help a novice out and suggest some settings or things I might do to reduce the number of failed login attempts. I had considered just disabling cPHulk from sending me the emails but that seemed like I might be just sticking my head in the sand.

Thank you for your time.
Mike

 

[cowboymike]

I should have noted in the post above that I do have ssh disabled and still get a ton of the failed login attempts notices.
Thanks, Mike

 

[ravi9]

You can block those IP range in CSF firewall or in cPHulk.

Like to block 111.111.xxx.xxx add following:

111.111.0.0/16

Blocking in CSF firewall will completely block access from those IPs. Blocking in cPULK will only deny login in cPanel / Webmail

 

[cowboymike]

Thank you ravi9. But for as many failed login attempts I am getting it seems like it could be a full time job blocking IPs. The number of attempts is coming from a wide range of IPs with most from China, but I do get a lot from other countries and the US is probably next after china in terms of volume.

I was blocking individual IPs in cPHulk but then someone wrote that that was an effort in futility because I could be blocking good IPs due something like IP spoofing or dynamic Ips or something. I dont recall exactly.

I am not knowledgeable at this and I just want my couple of websites to be ok.

So do you still think I am just going to have to put in the time and block IP ranges?

Thank you.
Mike

 

[cPanelMichael]

Hello

cPhulk will not block IP addresses from making authentication "attempts". Instead, it prevents successful authentication. A firewall such as CSF is required to block IP addresses and prevent these types of attacks. You may want to post on the CSF forums if you would like advice on specific configuration values to enable/change in the CSF software:

ConfigServer - Forums

Thank you.

 

[ravi9]

Thank you ravi9. But for as many failed login attempts I am getting it seems like it could be a full time job blocking IPs. The number of attempts is coming from a wide range of IPs with most from China, but I do get a lot from other countries and the US is probably next after china in terms of volume.
Mike

This is a common problem when you have few good traffic website on your server.
Do not block many IPs, instead block few IP range.

Install CSF firewall (if you do't have)
Start bloking IP range.

Like if you receive mail saying

Large Number of Failed Login Attempts from IP 61.147.70.​209

Block 61.147.0.0/16 in CSF firewall.
You will soon get 60-70% less failed login attempts mails.