Failed Login Attempts & Banning IP Addresses

[jerdoggmckoy]

Hello, when I get one of these messages:

Subject: "Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx"

And then it shows the following:

Origin Country: Canada (CA)

Please use the following links to add to the black list:

Single IP: https://server:2087/cgi/bl.cgi?ip=174.142.220.111
/24: https://server:2087/cgi/bl.cgi?ip=174.142.220.0/24
/16: https://server:2087/cgi/bl.cgi?ip=174.142.0.0/16

Should I add these IP addresses to the blacklists? If so, which option should I use? The single IP, 24 or 16? Though I don't know what any of those mean. And if I should add them, then won't my blacklist file get extremely large?

 

[jerdoggmckoy]

Hey All, my email shows someone replied to this post, but the reply is not here. The recommendation I read was to just go ahead and block each of the single IP's that register the hack attempts. But I'm curious if that is honestly effective or are these hackers just using proxies anyway or some sort of IP rotation system anyway?

Any help or guidance is GREATLY APPRECIATED!!!

 

[quizknows]

Are these notices coming from cphulk?

I recommend you install configserver firewall (CSF) as it has LFD (login failure daemon) which will automatically block the IP's for you.

 

[cPanelMichael]

Hello

cPHulk is useful for preventing successful authentication, however you will need to utilize a third-party firewall such as CSF if you want to block the actual connection to the server. The drawback to blocking an entire range is that you could block legitimate users.

Thank you.

 

[jerdoggmckoy]

Michael, are you saying that I should take the IP's that are being blocked by cPHulk and also block them from within CSF?

My goodness, I get such a large amount of these "Large Number of Failed Login Attempts from IP . . . ." - Anyone have any idea why I get so many of them? Or is that just normal these day? it seems like I get 1-2 every couple days.

 

[cPanelMichael]

cPHulk will not actually prevent those IP addresses from connecting to your server. It prevents successful authentication, but the connections still occur. Thus, it's a good idea to block those IP addresses with CSF because it can help stop the authentication attempt itself.

Thank you.

 

[jerdoggmckoy]

cPHulk will not actually prevent those IP addresses from connecting to your server. It prevents successful authentication, but the connections still occur. Thus, it's a good idea to block those IP addresses with CSF because it can help stop the authentication attempt itself.

Thank you.

Awesome, thanks for the help!