Dropping connection from xx.xx.xx.xx because of tcp_wrappers at cpsrvd.pl line 3564

[keat63]

Although i've never had a definitive answer to the above message, it does appear that this is someone trying to login to either Cpanel or WHM.
Either way, I see this quite frequently.

If I see only one or two entries, then I tend not to worry, this could indeed be genuine.
However, occasionally, I see 30 or more entries from an IP, and often the same IP coming back for another go.

On these occasions, I will manually add the IP to the CSF blocklist.

It would be good, if these were added automatically. I've posted a number of requests on the CSF forum, but don't seem to be obtaining any answers.

Could anyone on here suggest anything ?

 

[Infopro]

These are all yours on this topic:
is this someone trying to login to cpanel or whm ?
Unknown entries in cpanel/logs/accesslogs
cpanel login attempts

 

[keat63]

I am aware, and I'm still looking for an answer, just hoping that eventually someone will have one.

I know that my Host Acess file is refusing them entry, but the person or bot this morning made around 100 attempts before giving in and then coming back again an hour later for another go.

I would really like to come up with a method of blocking thier IP after 5 failed attempts, rather than having to do this manually..

 

[cPanelMichael]

I would really like to come up with a method of blocking thier IP after 5 failed attempts, rather than having to do this manually..

Hello,

Is cPHulk sufficient to block the IP addresses? It's documented, including information on how it can block IP addresses at the firewall level, at:

cPHulk Brute Force Protection - Documentation - cPanel Documentation

Thank you.

 

[keat63]

If it is, then it doesn't work for this instance.
I do have CPHulk configured.

 

[cPanelMichael]

If it is, then it doesn't work for this instance.
I do have CPHulk configured.

How have you configured cPHulk exactly, and is there any output to /usr/local/cpanel/logs/cphulkd.log when this happens?

Thank you.

 

[keat63]

From what I can see in CPHULK, there doesn't appear to much to configure.
Basically, 3 x On buttons.

I don't see any entry in CPHULK log, however, I suspect that they may not be getting this far, as HostAccessControl is blocking them beforehand ?

 

[cPanelMichael]

I don't see any entry in CPHULK log, however, I suspect that they may not be getting this far, as HostAccessControl is blocking them beforehand ?

Yes, the access attempts are dropped if you are using "Host Access Control" to block the requests. cPhulk can automatically block an IP address at the firewall level after a set number of attempts:

cPHulk Brute Force Protection - Documentation - cPanel Documentation

The option I am referring to is:

Block IP addresses at the firewall level if they trigger brute force protection

However, note the following:

• This option writes a new iptables rule and requires iptables version 1.4 or higher to block IP addresses at the IP address-based level.
• This option is not available on Virtuozzo.
• iptables version 1.4 is not available on CentOS 5.

The alternative is to use "Command to Run When an IP Address Triggers Brute Force Protection " and configure a command that blocks the IP address using CSF.

Thank you.

 

[keat63]

'Block IP addresses at the firewall level if they trigger brute force protection' is checked, and also configured for 5 attempts.
But if HostAccessControl is dropping them before they get this far then it's something that I have to put up with.
I'd rather not dilute HostAccessControl in favour of CPHULK.
I suppose a positive thing about HAC, is that unless your IP is in the small list, your'e not getting in. (end of)
Just a little annoying when I see a few hundred attempts from the same IP though.

 

[cPanelMichael]

It's difficult to stop the actual access attempts, as most IP ranges are scanned by bots. Thus, using features such as "Host Access Control" is the best approach to block the offending IP addresses.

Thank you.

 

[keat63]

It's started again.
Could anyone create a modsec rule for this at all, as this is way beyond my capabilities

 

[cPanelMichael]

A Mod_Security rule wouldn't restrict access to the ports the cpsrvd service listens on (e.g. 2082,2087). You may want to consult with your data center or a qualified system administrator if you need assistance with blocking the attack from the network level or through custom firewall rules.

Thank you.

 

[keat63]

I was thinking more along the lines of a modesc or CSF rule that would look at the string
'because of tcp_wrappers at cpsrvd.pl line 3564', and then block the offending IP address accordingly.
I did look at regex rules for CSF, but this just baffled me.

 

[cPanelMichael]

You may want to consult with a qualified system administrator if you do not receive additional user-feedback on a custom rule. You can find a list of system administration services at:

System Administration Services

Thank you.