Hidden IPs trying to connect to my server?

[ziadmm0]

Hello

In Home »Security Center » cPHulk Brute Force Protection »» History Reports

There are many reports for IPs trying to brute force my server, most of these IPs are 1 IP which is :

0000:0000:0000:0000:0000:0000:0000:0000

What is this IP and how to block it ? becuase the system doesn't block it and every 30 seconds he try to connect to my server

 

[cPanelLauren]

Hello,

Do you have username blocking enabled? You can see this when you got to WHM>>Security Center>>Brute Force Protection - Configuration Settings. You can usually correlate this to a username block in /usr/local/cpanel/logs/cphulkd.log

 

[ziadmm0]

Hello cPanelLauren
I didn't block any username, actually there are only one username which is mine.

 

[cPanelLauren]

Hello @ziadmm0


I didn't think you specifically blocked a username but that cphulkd had username blocking enabled. Can you please check the items I noted in my previous response and provide the output from the logs as well as a screenshot of the cphulkd configuration.

 

[ziadmm0]

In the file there are many codes like this

$hd] [Remote IP Address]=[68.183.xx.xxx] [Authentication Database]=[system] [Username]=[admin] (5/5 failures) $

And every line have different IP and username, it is 100% brute-force attack.




Why some IPs are 0000:0000:0000:...:0000 ?

 

[cPanelLauren]

You can see in the first screenshot you provided username based protection is enabled. Though you did not provide the log entry as requested (the logs indicate what was blocked, IP or username) seeing that username protection is in fact enabled - the blocks with the 0's for IP addresses are blocks based on the username not the IP address.

You'd be able to correlate this in the logs I requested you provide excerpts from initially, with something like the following:

[2019-08-26 15:20:22 +0300] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Local Port]=[143] [Local User triggering request]=[$user] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote Port]=[33736] [Authentication Database]=[mail] [Username]=[[email protected]] (6/5 failures) (blocked until [Mon Aug 26 17:20:22 2019 UTC/Mon Aug 26 20:20:22 2019 LOCAL])

 

[ziadmm0]

Thank you for your help

In same file there are:

[2019-08-16 11:37:29 +0300] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[sshd] [Authentication Database]=[system] [Username]=[admin] (16/15 failure) ...

Is this what you mean?

Actually there are a thousands of IPs trying to connect to my server.. Is cPhulk protection enough for this brute-force attack?

 

[cPanelLauren]

Too many failures for this username for this authentication database.

This is the error I'm referencing. When there's a block on the IP the wording of this error indicates as such.

If there are thousands of IP's at once trying to connect, it can be overwhelming for any software. If you mean that over time thousands of IP's are attempting to connect cPhulkd should not have a problem managing brute force attempts but you might also want to check out the advice here:

Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation

documentation.cpanel.net

 

[ziadmm0]

Thank you