The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DNS Only and Brute force lockout

Discussion in 'Security' started by Jmz, Dec 16, 2013.

  1. Jmz

    Jmz Registered

    Joined:
    Aug 13, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    I have 2 DNS Only servers setup in a cluster with all my cPanel VPSs. If either one gets brute forced (obviously failed) it will lock root account. Which is normal behavior and acceptable. The problem is that when root account is locked, the servers can no longer access whichever NS was brute forced. So, I get emails alerting me to DNS Cluster errors all day. Which in reality, they don't exist and its difficult to determine whether its a real failure of DNS or just a brute force lockout.

    Is there a way to prevent blocking access to accounts using the remote access key? Or maybe another workaround where cPanel servers can still query NS servers while brute force lockout is in effect on root account?
     
  2. simonas

    simonas Well-Known Member

    Joined:
    Apr 21, 2013
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    cPanel Access Level:
    Root Administrator
    Hi,

    Did you saw that CpHulk brute force protection has whitelist capability?

    Go to cPHulk Brute Force Protection
    Select White/Black List Management
    And add your servers ips in White list. They will be allowed to connect.
     
  3. Jmz

    Jmz Registered

    Joined:
    Aug 13, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks. Yeah I saw that but I guess I misinterpreted what it was for. But I added my IPs so we will see.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may want to consider implementing a third-party firewall such as CSF/LFD and then disabling cPhulkd if your servers are under a consistent brute force attack. While cPhulkd is helpful, it will not block the offending IP addresses, which is something a firewall can do. This will help prevent cases when the "root" user is locked out, resulting in failed authentication attempts from the hosting server.

    Thank you.
     
  5. Jmz

    Jmz Registered

    Joined:
    Aug 13, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Well it isn't quite all day events. Its just 6 WHM servers trying to update DNS and I get cluster errors from those in a 10 min lockout window. I would maybe say it happens twice a day. But I usually blacklist IPs that are trying to brute force root especially on the NS.
     
Loading...

Share This Page