Failed Login Attempts & Banning IP Addresses

jerdoggmckoy

Active Member
Jun 3, 2013
36
0
6
St Paul, MN
cPanel Access Level
Root Administrator
Hello, when I get one of these messages:

Subject: "Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx"

And then it shows the following:

Origin Country: Canada (CA)

Please use the following links to add to the black list:

Single IP: https://server:2087/cgi/bl.cgi?ip=174.142.220.111
/24: https://server:2087/cgi/bl.cgi?ip=174.142.220.0/24
/16: https://server:2087/cgi/bl.cgi?ip=174.142.0.0/16

Should I add these IP addresses to the blacklists? If so, which option should I use? The single IP, 24 or 16? Though I don't know what any of those mean. And if I should add them, then won't my blacklist file get extremely large?
 

jerdoggmckoy

Active Member
Jun 3, 2013
36
0
6
St Paul, MN
cPanel Access Level
Root Administrator
Hey All, my email shows someone replied to this post, but the reply is not here. The recommendation I read was to just go ahead and block each of the single IP's that register the hack attempts. But I'm curious if that is honestly effective or are these hackers just using proxies anyway or some sort of IP rotation system anyway?

Any help or guidance is GREATLY APPRECIATED!!!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Are these notices coming from cphulk?

I recommend you install configserver firewall (CSF) as it has LFD (login failure daemon) which will automatically block the IP's for you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

cPHulk is useful for preventing successful authentication, however you will need to utilize a third-party firewall such as CSF if you want to block the actual connection to the server. The drawback to blocking an entire range is that you could block legitimate users.

Thank you.
 

jerdoggmckoy

Active Member
Jun 3, 2013
36
0
6
St Paul, MN
cPanel Access Level
Root Administrator
Michael, are you saying that I should take the IP's that are being blocked by cPHulk and also block them from within CSF?

My goodness, I get such a large amount of these "Large Number of Failed Login Attempts from IP . . . ." - Anyone have any idea why I get so many of them? Or is that just normal these day? it seems like I get 1-2 every couple days.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
cPHulk will not actually prevent those IP addresses from connecting to your server. It prevents successful authentication, but the connections still occur. Thus, it's a good idea to block those IP addresses with CSF because it can help stop the authentication attempt itself.

Thank you.