cPHulk reports many failed login attempts

cowboymike

Member
Oct 27, 2012
6
0
1
cPanel Access Level
Website Owner
Hi,
I am not a system admin. I have a managed VPS.

I have 2 personal websites on the vps. I do not resell so its just me and the tmzvps who need access.

I have cPHulk set up. I have no idea as to what the best practices settings are for this.

I have csf firewall csf v6.37 enabled and running. I do not know what the settings should be.

I am getting a large amount of emails from cPHulk w/ regard to failed login attempts.

Can some one help a novice out and suggest some settings or things I might do to reduce the number of failed login attempts. I had considered just disabling cPHulk from sending me the emails but that seemed like I might be just sticking my head in the sand.

Thank you for your time.
Mike
 

cowboymike

Member
Oct 27, 2012
6
0
1
cPanel Access Level
Website Owner
I should have noted in the post above that I do have ssh disabled and still get a ton of the failed login attempts notices.
Thanks, Mike
 

ravi9

Well-Known Member
Oct 31, 2013
65
1
6
India
cPanel Access Level
Website Owner
You can block those IP range in CSF firewall or in cPHulk.

Like to block 111.111.xxx.xxx add following:
Code:
111.111.0.0/16
Blocking in CSF firewall will completely block access from those IPs. Blocking in cPULK will only deny login in cPanel / Webmail
 

cowboymike

Member
Oct 27, 2012
6
0
1
cPanel Access Level
Website Owner
Thank you ravi9. But for as many failed login attempts I am getting it seems like it could be a full time job blocking IPs. The number of attempts is coming from a wide range of IPs with most from China, but I do get a lot from other countries and the US is probably next after china in terms of volume.

I was blocking individual IPs in cPHulk but then someone wrote that that was an effort in futility because I could be blocking good IPs due something like IP spoofing or dynamic Ips or something. I dont recall exactly.

I am not knowledgeable at this and I just want my couple of websites to be ok.

So do you still think I am just going to have to put in the time and block IP ranges?

Thank you.
Mike
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

cPhulk will not block IP addresses from making authentication "attempts". Instead, it prevents successful authentication. A firewall such as CSF is required to block IP addresses and prevent these types of attacks. You may want to post on the CSF forums if you would like advice on specific configuration values to enable/change in the CSF software:

ConfigServer - Forums

Thank you.
 

ravi9

Well-Known Member
Oct 31, 2013
65
1
6
India
cPanel Access Level
Website Owner
Thank you ravi9. But for as many failed login attempts I am getting it seems like it could be a full time job blocking IPs. The number of attempts is coming from a wide range of IPs with most from China, but I do get a lot from other countries and the US is probably next after china in terms of volume.
Mike
This is a common problem when you have few good traffic website on your server.
Do not block many IPs, instead block few IP range.

Install CSF firewall (if you do't have)
Start bloking IP range.

Like if you receive mail saying
Large Number of Failed Login Attempts from IP 61.147.70.​209
Block 61.147.0.0/16 in CSF firewall.
You will soon get 60-70% less failed login attempts mails.