cpHulkD Not Showing Intruder's IP

cPanel 11.24.4-R32603 WHM 11.24.2 - X 3.9, running on CentOS v5.2

Howdy, All,

Curious about some log entries in /var/messages, excerpted as:

Connection service=system ip= port= user=xxx blocked by cphulkd (Too many failures for this username)

The 'xxx' in user=xxx looks to be a dictionary list of common people names.

There were about 600 attempts over a five hour span this last time around, just cycling alphabetically through different user names.

Trying to figure out where the attack may be coming from, as there's no IP or port shown.

Never got an email from cphulkd either. even though the 'send notification' box is checked.

I have password login disabled for SSH, and am also using non-standard ports for both SSH & FTP. Alas, as WHM & cPanel web access is still hard-coded, those ports can't be changed.

Any idea how to determine where the intruder(s) are trying to get in?

Thanks!
--
Carl

 

Coming up on a couple of years for this thread, anyone from cPanel have an idea why the IP would not be recorded?

Current version:
cPanel 11.25.0-R46156 - WHM 11.25.0 - X 3.9
CENTOS 5.5 i686 xen pv on vps

Had alas not been logging ssh connections; set loglevel to INFO but will have to wait for another intrusion.

/usr/local/cpanel/logs/cphulkd.log does not show the IP either, but that makes sense; if the brute force detection daemon saw the IP it would certainly report it.

Yes, one can shell in, crank up MySQL, use cphulkd & delete from logins where user='root' (or even script that action if it happened to you a lot) but that just lets you back into the WHM gui, it still doesn't explain why the IP isn't being recorded in the first place.

Oh, it also appears to be ignoring whitelist. I have an entry for my IP, but will still get kicked out of WHM if someone tries to log in too many times - however they're doing it - as root.

Looking at /var/log/secure, it does appear sshd is logging timestamps based on the server's timezone, but openssl is logging based on GMT. Not sure if that's relevant.

Any ideas?