I recently turned on cpHulk as per the security adviser. Its function makes sense, so I want to use it.
The first thing that happened is I started getting emails about "Root was logged into pam using following authentication service: system (sshd)"
It gives me an IP address. When I look up the IP, it's in the USA and is not in any blacklist, but I still don't recognize it, so my first question is, what sort of IPs should I expect to be causing these messages? Really only I log in as root from my office, maybe from home, and my webhost where our dedicated server lives probably does too. I don't know why any other IP would log in as root so it makes me wonder if I should blacklist all IPs and then whitelist the IPs I use, and those of my host??
In general though, what sort of protocol should I follow when I get theses messages? Do you guys have a way to research IPs to see if they are legit or not? All I know about this IP is that it's in the USA, so I don't know if it's good or not!
My second question is this: when I log in to WHM and go to cpHulk section and look at excessive login failures, some of these IPs are easier to research, 30 failed attempts from an IP coming from China for example. Ya that's probably bad, so should I blacklist it? I've already got a dozen bad IPs by having Hulk on for a couple days. I'm wondering if it's overkill to ban IPs left and right, I imagine the blacklist will grow to enormous size over time and just doesn't seem efficient to do that. Should I try and ban entire countries? I really only expect users in the US. Or should I ignore them and let Hulk do its timeout thing on its own and leave it be?
So basically I'm asking, what are some good management protocols for cpHulk use? And how should I handle the email reports about successful logins as root? Should I just whitelist any IP I might use, and try to whitelist all IPs of my host? Not sure.
Thanks for any ideas!
The first thing that happened is I started getting emails about "Root was logged into pam using following authentication service: system (sshd)"
It gives me an IP address. When I look up the IP, it's in the USA and is not in any blacklist, but I still don't recognize it, so my first question is, what sort of IPs should I expect to be causing these messages? Really only I log in as root from my office, maybe from home, and my webhost where our dedicated server lives probably does too. I don't know why any other IP would log in as root so it makes me wonder if I should blacklist all IPs and then whitelist the IPs I use, and those of my host??
In general though, what sort of protocol should I follow when I get theses messages? Do you guys have a way to research IPs to see if they are legit or not? All I know about this IP is that it's in the USA, so I don't know if it's good or not!
My second question is this: when I log in to WHM and go to cpHulk section and look at excessive login failures, some of these IPs are easier to research, 30 failed attempts from an IP coming from China for example. Ya that's probably bad, so should I blacklist it? I've already got a dozen bad IPs by having Hulk on for a couple days. I'm wondering if it's overkill to ban IPs left and right, I imagine the blacklist will grow to enormous size over time and just doesn't seem efficient to do that. Should I try and ban entire countries? I really only expect users in the US. Or should I ignore them and let Hulk do its timeout thing on its own and leave it be?
So basically I'm asking, what are some good management protocols for cpHulk use? And how should I handle the email reports about successful logins as root? Should I just whitelist any IP I might use, and try to whitelist all IPs of my host? Not sure.
Thanks for any ideas!
