Hidden IPs trying to connect to my server?

ziadmm0

Active Member
Aug 11, 2019
26
3
3
usa
cPanel Access Level
Root Administrator
Hello

In Home »Security Center » cPHulk Brute Force Protection »» History Reports

There are many reports for IPs trying to brute force my server, most of these IPs are 1 IP which is :
0000:0000:0000:0000:0000:0000:0000:0000

What is this IP and how to block it ? becuase the system doesn't block it and every 30 seconds he try to connect to my server
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,

Do you have username blocking enabled? You can see this when you got to WHM>>Security Center>>Brute Force Protection - Configuration Settings. You can usually correlate this to a username block in /usr/local/cpanel/logs/cphulkd.log
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello @ziadmm0


I didn't think you specifically blocked a username but that cphulkd had username blocking enabled. Can you please check the items I noted in my previous response and provide the output from the logs as well as a screenshot of the cphulkd configuration.
 

ziadmm0

Active Member
Aug 11, 2019
26
3
3
usa
cPanel Access Level
Root Administrator
In the file there are many codes like this
Code:
$hd] [Remote IP Address]=[68.183.xx.xxx] [Authentication Database]=[system] [Username]=[admin] (5/5 failures) $
And every line have different IP and username, it is 100% brute-force attack.

1567091093885.png
1567091151412.png

Why some IPs are 0000:0000:0000:...:0000 ?
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
You can see in the first screenshot you provided username based protection is enabled. Though you did not provide the log entry as requested (the logs indicate what was blocked, IP or username) seeing that username protection is in fact enabled - the blocks with the 0's for IP addresses are blocks based on the username not the IP address.

You'd be able to correlate this in the logs I requested you provide excerpts from initially, with something like the following:


Code:
[2019-08-26 15:20:22 +0300] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Local Port]=[143] [Local User triggering request]=[$user] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote Port]=[33736] [Authentication Database]=[mail] [Username]=[[email protected]] (6/5 failures) (blocked until [Mon Aug 26 17:20:22 2019 UTC/Mon Aug 26 20:20:22 2019 LOCAL])
 

ziadmm0

Active Member
Aug 11, 2019
26
3
3
usa
cPanel Access Level
Root Administrator
Thank you for your help

In same file there are:
Code:
[2019-08-16 11:37:29 +0300] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[sshd] [Authentication Database]=[system] [Username]=[admin] (16/15 failure) ...
Is this what you mean?

Actually there are a thousands of IPs trying to connect to my server.. Is cPhulk protection enough for this brute-force attack?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Code:
Too many failures for this username for this authentication database.
This is the error I'm referencing. When there's a block on the IP the wording of this error indicates as such.

If there are thousands of IP's at once trying to connect, it can be overwhelming for any software. If you mean that over time thousands of IP's are attempting to connect cPhulkd should not have a problem managing brute force attempts but you might also want to check out the advice here: