The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Dropping connection from xx.xx.xx.xx because of tcp_wrappers at cpsrvd.pl line 3564

Discussion in 'Security' started by keat63, May 18, 2016.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Although i've never had a definitive answer to the above message, it does appear that this is someone trying to login to either Cpanel or WHM.
    Either way, I see this quite frequently.

    If I see only one or two entries, then I tend not to worry, this could indeed be genuine.
    However, occasionally, I see 30 or more entries from an IP, and often the same IP coming back for another go.

    On these occasions, I will manually add the IP to the CSF blocklist.

    It would be good, if these were added automatically. I've posted a number of requests on the CSF forum, but don't seem to be obtaining any answers.

    Could anyone on here suggest anything ?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I am aware, and I'm still looking for an answer, just hoping that eventually someone will have one. ;)

    I know that my Host Acess file is refusing them entry, but the person or bot this morning made around 100 attempts before giving in and then coming back again an hour later for another go.

    I would really like to come up with a method of blocking thier IP after 5 failed attempts, rather than having to do this manually..
     
    #3 keat63, May 18, 2016
    Last edited: May 18, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Is cPHulk sufficient to block the IP addresses? It's documented, including information on how it can block IP addresses at the firewall level, at:

    cPHulk Brute Force Protection - Documentation - cPanel Documentation

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If it is, then it doesn't work for this instance.
    I do have CPHulk configured.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    How have you configured cPHulk exactly, and is there any output to /usr/local/cpanel/logs/cphulkd.log when this happens?

    Thank you.
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    From what I can see in CPHULK, there doesn't appear to much to configure.
    Basically, 3 x On buttons.

    I don't see any entry in CPHULK log, however, I suspect that they may not be getting this far, as HostAccessControl is blocking them beforehand ?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, the access attempts are dropped if you are using "Host Access Control" to block the requests. cPhulk can automatically block an IP address at the firewall level after a set number of attempts:

    cPHulk Brute Force Protection - Documentation - cPanel Documentation

    The option I am referring to is:

    Block IP addresses at the firewall level if they trigger brute force protection

    However, note the following:

    The alternative is to use "Command to Run When an IP Address Triggers Brute Force Protection " and configure a command that blocks the IP address using CSF.

    Thank you.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    'Block IP addresses at the firewall level if they trigger brute force protection' is checked, and also configured for 5 attempts.
    But if HostAccessControl is dropping them before they get this far then it's something that I have to put up with.
    I'd rather not dilute HostAccessControl in favour of CPHULK.
    I suppose a positive thing about HAC, is that unless your IP is in the small list, your'e not getting in. (end of)
    Just a little annoying when I see a few hundred attempts from the same IP though.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's difficult to stop the actual access attempts, as most IP ranges are scanned by bots. Thus, using features such as "Host Access Control" is the best approach to block the offending IP addresses.

    Thank you.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    It's started again.
    Could anyone create a modsec rule for this at all, as this is way beyond my capabilities
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A Mod_Security rule wouldn't restrict access to the ports the cpsrvd service listens on (e.g. 2082,2087). You may want to consult with your data center or a qualified system administrator if you need assistance with blocking the attack from the network level or through custom firewall rules.

    Thank you.
     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I was thinking more along the lines of a modesc or CSF rule that would look at the string
    'because of tcp_wrappers at cpsrvd.pl line 3564', and then block the offending IP address accordingly.
    I did look at regex rules for CSF, but this just baffled me.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,766
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to consult with a qualified system administrator if you do not receive additional user-feedback on a custom rule. You can find a list of system administration services at:

    System Administration Services

    Thank you.
     
Loading...

Share This Page