The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Large Number of Failed Login Attempts

Discussion in 'Security' started by Ali Nishu, Jan 20, 2016.

  1. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Hello,

    in the last 3 days, i've received more than 70 mails with contents like following:

    2 failed login attempts to account computer (system) -- Large number of attempts from this IP

    here "computer (system)" portion varies as well as IP and country. IP and Origin country varies, so i assume the attacker is using some sort of IP spoofing method.

    How can i determine where the attacker is trying to login? Is the 'computer' bit refers to the username tried to login? what does system/smtp/pop3 means? does it identifies where he tried to log in?

    Also how can i ensure security? The password in WHM is generated using the password generator, so i guess that portion is covered.

    Thanks in advance.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    If you have installed CSF firewall on your server then I will suggest you please enable login failure detection for your services, so that CSF firewall will automatically block such IP on your server.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Hello All :),

    Thanks for your kind reply :). I'm checking the cPHulk docs now.
     
  5. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Hello again,

    Most of the login attempts are to the system, very few are pop3 and smtp, is there any way to determine it is to either cPanel, SSH or WHM from the 'system' keyword?

    Since each attempts are coming from different IPs, i guess some sort of IP spoofing method is used, in that case, is blocking IP will be effective? as the attacker just switches to a different one when it gets blocked by cPHulk after a couple of retries.

    I just found WHM's Host Access Control area can restrict login by IP, if i add following lines in there will it help to prevent attacks?

    Daemon | Access List | Action
    ===================
    system | <my ip> | allow
    system | all | deny

    Is there any chance that i could accidentally block myself out from the system by modifying WHM's Host Access Control to that?

    Thanks in advance.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Hello again,

    I don't have the "Username-based Protection" option in my cPHulk Brute Force Protection page (my WHM version is 11.44.3 (build 1)).

    I added both whostmgrd, cpaneld and sshd in separate fields, (allow for my IP and deny for ALL), but i'm still getting failed login attempt mail from different IPs, does 'system' could mean any other services beside those 3?

    Please help. Thanks in advance.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    It may not be IP spoofing, if your'e getting lots then it's probably more likely bots or zombies. (Infected PC's)

    If you don't have it already, then install CSF.
    It's free, just about works out of the box, takes 10 minutes to install, and offers far more protection than CPHulk alone.

    If you modify HostAccess Control, make sure you have an emergency backdoor at least.
    Add a number of trusted IP's or subnets.
    Maybe contact your host/server provider and add thier IP too.

    My home ISP issues dynamic IP, so I added a number of class c subnets.
    My work is static.

    Provided my work IP and home IP's don't change at the same time, i have a way in.
    And if they fail, my data centre should still be able to gain access.
     
  9. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Thanks for your valuable input. I'll read more about CSF. I'm also worried about locking myself out in the process of modifying host access control.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's important to note that cPanel version 11.44 is end-of-life. I suggest updating to a supported version of cPanel as soon as possible.

    Thank you.
     
  11. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Thanks for the replies, about updating cPanel, from the Server Configuration »Update Preferences, i see the Release Tier is set to CURRENT 11.54.0.8, but Daily Updates is set as Manual Updates Only, other two options (Operating System Package Updates and SpamAssassin® Rules Updates) are set as Automatic. Should i change Daily Updates to Automatic too? is there any chance of data loss or any sort of issues while updating? Thanks in advance.
     
  12. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I prefer to perform manual updates.
    At least this way, I can watch the forum to see if there are any issues and wait until they've been ironed out.
    I perform updates every few months.
     
  13. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    ok, understood, manual update is preferable.
    yesterday i contacted cpanel service, those good guys updated the whm, its 54(build 8) now. i don't know if it's related or not, but i'm not receiving mails regarding login attempt, i guess i'll wait a few days and see.
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Automatic updates are fine, staying on STABLE, or RELEASE should be preferred if you're concerned about updates changing things you're not ready for.

    Changes have been made to these alerts. Assuming you have root access to WHM, you'll find the settings here that you should go thru again to suite your needs:
    WHM »Server Contacts »Contact Manager

    In your cPanel, you'll find settings for an account under Contact Information.
     
  15. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    i see, cPHulkd settings are set as low, therefore i'm not getting any email's anymore, if that's no big issue, then i guess it can stay like that, thanks for the info.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to check your settings for cPHulk Notifications, here:
    Home »Security Center »cPHulk Brute Force Protection, bottom of page.
     
  17. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Thanks, i checked the CPHulk Brute Force page,

    Contact Manager's notification settings for cPHulkd Brute Force is low, which seems to mean no email, but from cPHulk brute force page's configuration settings, at the bottom of page, 'Send a notification when the system detects a brute force user' checkbox is selected, aren't those conflicting then?
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's normal to not receive the notification if you have configured cPHulk notifications to not send you an email in "WHM >> Contact Manager".

    Thank you.
     
  19. Ali Nishu

    Ali Nishu Member

    Joined:
    Jan 19, 2016
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Dhaka, Bangladesh
    cPanel Access Level:
    Website Owner
    Understood, as long as it isn't a threat, i guess it's ok if i don't receive emails.

    Thanks everyone for your valuable inputs.
     
Loading...

Share This Page