The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk reports many failed login attempts

Discussion in 'Security' started by cowboymike, Nov 6, 2013.

  1. cowboymike

    cowboymike Member

    Joined:
    Oct 27, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi,
    I am not a system admin. I have a managed VPS.

    I have 2 personal websites on the vps. I do not resell so its just me and the tmzvps who need access.

    I have cPHulk set up. I have no idea as to what the best practices settings are for this.

    I have csf firewall csf v6.37 enabled and running. I do not know what the settings should be.

    I am getting a large amount of emails from cPHulk w/ regard to failed login attempts.

    Can some one help a novice out and suggest some settings or things I might do to reduce the number of failed login attempts. I had considered just disabling cPHulk from sending me the emails but that seemed like I might be just sticking my head in the sand.

    Thank you for your time.
    Mike
     
  2. cowboymike

    cowboymike Member

    Joined:
    Oct 27, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I should have noted in the post above that I do have ssh disabled and still get a ton of the failed login attempts notices.
    Thanks, Mike
     
  3. ravi9

    ravi9 Well-Known Member

    Joined:
    Oct 31, 2013
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Website Owner
    You can block those IP range in CSF firewall or in cPHulk.

    Like to block 111.111.xxx.xxx add following:
    Code:
    111.111.0.0/16
    
    Blocking in CSF firewall will completely block access from those IPs. Blocking in cPULK will only deny login in cPanel / Webmail
     
  4. cowboymike

    cowboymike Member

    Joined:
    Oct 27, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thank you ravi9. But for as many failed login attempts I am getting it seems like it could be a full time job blocking IPs. The number of attempts is coming from a wide range of IPs with most from China, but I do get a lot from other countries and the US is probably next after china in terms of volume.

    I was blocking individual IPs in cPHulk but then someone wrote that that was an effort in futility because I could be blocking good IPs due something like IP spoofing or dynamic Ips or something. I dont recall exactly.

    I am not knowledgeable at this and I just want my couple of websites to be ok.

    So do you still think I am just going to have to put in the time and block IP ranges?

    Thank you.
    Mike
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPhulk will not block IP addresses from making authentication "attempts". Instead, it prevents successful authentication. A firewall such as CSF is required to block IP addresses and prevent these types of attacks. You may want to post on the CSF forums if you would like advice on specific configuration values to enable/change in the CSF software:

    ConfigServer - Forums

    Thank you.
     
  6. ravi9

    ravi9 Well-Known Member

    Joined:
    Oct 31, 2013
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Website Owner
    This is a common problem when you have few good traffic website on your server.
    Do not block many IPs, instead block few IP range.

    Install CSF firewall (if you do't have)
    Start bloking IP range.

    Like if you receive mail saying
    Block 61.147.0.0/16 in CSF firewall.
    You will soon get 60-70% less failed login attempts mails.
     
Loading...

Share This Page