Large Number of Failed Login Attempts

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
Hello,

in the last 3 days, i've received more than 70 mails with contents like following:

2 failed login attempts to account computer (system) -- Large number of attempts from this IP

here "computer (system)" portion varies as well as IP and country. IP and Origin country varies, so i assume the attacker is using some sort of IP spoofing method.

How can i determine where the attacker is trying to login? Is the 'computer' bit refers to the username tried to login? what does system/smtp/pop3 means? does it identifies where he tried to log in?

Also how can i ensure security? The password in WHM is generated using the password generator, so i guess that portion is covered.

Thanks in advance.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter
Hello :),

If you have installed CSF firewall on your server then I will suggest you please enable login failure detection for your services, so that CSF firewall will automatically block such IP on your server.
 

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
Hello again,

Most of the login attempts are to the system, very few are pop3 and smtp, is there any way to determine it is to either cPanel, SSH or WHM from the 'system' keyword?

Since each attempts are coming from different IPs, i guess some sort of IP spoofing method is used, in that case, is blocking IP will be effective? as the attacker just switches to a different one when it gets blocked by cPHulk after a couple of retries.

I just found WHM's Host Access Control area can restrict login by IP, if i add following lines in there will it help to prevent attacks?

Daemon | Access List | Action
===================
system | <my ip> | allow
system | all | deny

Is there any chance that i could accidentally block myself out from the system by modifying WHM's Host Access Control to that?

Thanks in advance.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
Hello again,

I don't have the "Username-based Protection" option in my cPHulk Brute Force Protection page (my WHM version is 11.44.3 (build 1)).

I added both whostmgrd, cpaneld and sshd in separate fields, (allow for my IP and deny for ALL), but i'm still getting failed login attempt mail from different IPs, does 'system' could mean any other services beside those 3?

Please help. Thanks in advance.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
It may not be IP spoofing, if your'e getting lots then it's probably more likely bots or zombies. (Infected PC's)

If you don't have it already, then install CSF.
It's free, just about works out of the box, takes 10 minutes to install, and offers far more protection than CPHulk alone.

If you modify HostAccess Control, make sure you have an emergency backdoor at least.
Add a number of trusted IP's or subnets.
Maybe contact your host/server provider and add thier IP too.

My home ISP issues dynamic IP, so I added a number of class c subnets.
My work is static.

Provided my work IP and home IP's don't change at the same time, i have a way in.
And if they fail, my data centre should still be able to gain access.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
I don't have the "Username-based Protection" option in my cPHulk Brute Force Protection page (my WHM version is 11.44.3 (build 1)).
It's important to note that cPanel version 11.44 is end-of-life. I suggest updating to a supported version of cPanel as soon as possible.

Thank you.
 

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
Thanks for the replies, about updating cPanel, from the Server Configuration »Update Preferences, i see the Release Tier is set to CURRENT 11.54.0.8, but Daily Updates is set as Manual Updates Only, other two options (Operating System Package Updates and SpamAssassin® Rules Updates) are set as Automatic. Should i change Daily Updates to Automatic too? is there any chance of data loss or any sort of issues while updating? Thanks in advance.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I prefer to perform manual updates.
At least this way, I can watch the forum to see if there are any issues and wait until they've been ironed out.
I perform updates every few months.
 

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
ok, understood, manual update is preferable.
yesterday i contacted cpanel service, those good guys updated the whm, its 54(build 8) now. i don't know if it's related or not, but i'm not receiving mails regarding login attempt, i guess i'll wait a few days and see.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
New ok, understood, manual update is preferable.
Automatic updates are fine, staying on STABLE, or RELEASE should be preferred if you're concerned about updates changing things you're not ready for.

i'm not receiving mails regarding login attempt, i guess i'll wait a few days and see.
Changes have been made to these alerts. Assuming you have root access to WHM, you'll find the settings here that you should go thru again to suite your needs:
WHM »Server Contacts »Contact Manager

In your cPanel, you'll find settings for an account under Contact Information.
 

Ali Nishu

Member
Jan 19, 2016
10
0
1
Dhaka, Bangladesh
cPanel Access Level
Website Owner
Thanks, i checked the CPHulk Brute Force page,

Contact Manager's notification settings for cPHulkd Brute Force is low, which seems to mean no email, but from cPHulk brute force page's configuration settings, at the bottom of page, 'Send a notification when the system detects a brute force user' checkbox is selected, aren't those conflicting then?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
It's normal to not receive the notification if you have configured cPHulk notifications to not send you an email in "WHM >> Contact Manager".

Thank you.