DNS Only and Brute force lockout

Jmz

Registered
Aug 13, 2013
4
0
1
cPanel Access Level
Reseller Owner
I have 2 DNS Only servers setup in a cluster with all my cPanel VPSs. If either one gets brute forced (obviously failed) it will lock root account. Which is normal behavior and acceptable. The problem is that when root account is locked, the servers can no longer access whichever NS was brute forced. So, I get emails alerting me to DNS Cluster errors all day. Which in reality, they don't exist and its difficult to determine whether its a real failure of DNS or just a brute force lockout.

Is there a way to prevent blocking access to accounts using the remote access key? Or maybe another workaround where cPanel servers can still query NS servers while brute force lockout is in effect on root account?
 

simonas

Well-Known Member
Apr 21, 2013
141
0
16
Lithuania
cPanel Access Level
Root Administrator
Hi,

Did you saw that CpHulk brute force protection has whitelist capability?

Go to cPHulk Brute Force Protection
Select White/Black List Management
And add your servers ips in White list. They will be allowed to connect.
 

Jmz

Registered
Aug 13, 2013
4
0
1
cPanel Access Level
Reseller Owner
Thanks. Yeah I saw that but I guess I misinterpreted what it was for. But I added my IPs so we will see.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

You may want to consider implementing a third-party firewall such as CSF/LFD and then disabling cPhulkd if your servers are under a consistent brute force attack. While cPhulkd is helpful, it will not block the offending IP addresses, which is something a firewall can do. This will help prevent cases when the "root" user is locked out, resulting in failed authentication attempts from the hosting server.

Thank you.
 

Jmz

Registered
Aug 13, 2013
4
0
1
cPanel Access Level
Reseller Owner
Hello :)

You may want to consider implementing a third-party firewall such as CSF/LFD and then disabling cPhulkd if your servers are under a consistent brute force attack. While cPhulkd is helpful, it will not block the offending IP addresses, which is something a firewall can do. This will help prevent cases when the "root" user is locked out, resulting in failed authentication attempts from the hosting server.

Thank you.
Well it isn't quite all day events. Its just 6 WHM servers trying to update DNS and I get cluster errors from those in a 10 min lockout window. I would maybe say it happens twice a day. But I usually blacklist IPs that are trying to brute force root especially on the NS.