How do I best handle cphulk reports and emails and IPs?


Active Member
Sep 30, 2010
I recently turned on cpHulk as per the security adviser. Its function makes sense, so I want to use it.
The first thing that happened is I started getting emails about "Root was logged into pam using following authentication service: system (sshd)"

It gives me an IP address. When I look up the IP, it's in the USA and is not in any blacklist, but I still don't recognize it, so my first question is, what sort of IPs should I expect to be causing these messages? Really only I log in as root from my office, maybe from home, and my webhost where our dedicated server lives probably does too. I don't know why any other IP would log in as root so it makes me wonder if I should blacklist all IPs and then whitelist the IPs I use, and those of my host??

In general though, what sort of protocol should I follow when I get theses messages? Do you guys have a way to research IPs to see if they are legit or not? All I know about this IP is that it's in the USA, so I don't know if it's good or not!

My second question is this: when I log in to WHM and go to cpHulk section and look at excessive login failures, some of these IPs are easier to research, 30 failed attempts from an IP coming from China for example. Ya that's probably bad, so should I blacklist it? I've already got a dozen bad IPs by having Hulk on for a couple days. I'm wondering if it's overkill to ban IPs left and right, I imagine the blacklist will grow to enormous size over time and just doesn't seem efficient to do that. Should I try and ban entire countries? I really only expect users in the US. Or should I ignore them and let Hulk do its timeout thing on its own and leave it be?

So basically I'm asking, what are some good management protocols for cpHulk use? And how should I handle the email reports about successful logins as root? Should I just whitelist any IP I might use, and try to whitelist all IPs of my host? Not sure.

Thanks for any ideas!


Staff member
Apr 11, 2011
Hello :)

The notification you received indicates someone logged in as "root" under that IP address. Since it was through SSH, you can browse /var/log/secure to see if the log indicates any information about the login from that IP. Blacklisting IP addresses in cPHulk is fine, but generally if you know the IP addresses that should have access you could use "Host Access Control" in WHM to only allow access to those services from specified IP addresses. Also, administrators will typically block IP addresses with excessive failed login attempts in their firewall (CSF is often used).

Thank you.