Large Number of Failed Login Attempts

Ali Nishu · Jan 20, 2016

Hello,

in the last 3 days, i've received more than 70 mails with contents like following:

2 failed login attempts to account computer (system) -- Large number of attempts from this IP

here "computer (system)" portion varies as well as IP and country. IP and Origin country varies, so i assume the attacker is using some sort of IP spoofing method.

How can i determine where the attacker is trying to login? Is the 'computer' bit refers to the username tried to login? what does system/smtp/pop3 means? does it identifies where he tried to log in?

Also how can i ensure security? The password in WHM is generated using the password generator, so i guess that portion is covered.

Thanks in advance.

24x7server · Jan 20, 2016

Hello

,

If you have installed CSF firewall on your server then I will suggest you please enable login failure detection for your services, so that CSF firewall will automatically block such IP on your server.

cPanelMichael · Jan 20, 2016

Hello

You can enable cPHulk to track failed login attempts and review which service the user attempted to authenticate with:

cPHulk Brute Force Protection - Documentation - cPanel Documentation

Thank you.

Ali Nishu · Jan 20, 2016

Hello All

,

Thanks for your kind reply

. I'm checking the cPHulk docs now.

Ali Nishu · Jan 20, 2016

Hello again,

Most of the login attempts are to the system, very few are pop3 and smtp, is there any way to determine it is to either cPanel, SSH or WHM from the 'system' keyword?

Since each attempts are coming from different IPs, i guess some sort of IP spoofing method is used, in that case, is blocking IP will be effective? as the attacker just switches to a different one when it gets blocked by cPHulk after a couple of retries.

I just found WHM's Host Access Control area can restrict login by IP, if i add following lines in there will it help to prevent attacks?

Daemon | Access List | Action
===================
system | <my ip> | allow
system | all | deny

Is there any chance that i could accidentally block myself out from the system by modifying WHM's Host Access Control to that?

Thanks in advance.

cPanelMichael · Jan 21, 2016

cPhulk offers username-based protection in addition to IP-based protection:

cPHulk Brute Force Protection - Documentation - cPanel Documentation

As far as the "Host Access Control" option, yes, you can restrict services to specific IP addresses:

Host Access Control - Documentation - cPanel Documentation

However, "system" is not a valid service. You must select individual services such as cPanel or WHM.

Thank you.

Ali Nishu · Jan 27, 2016

Hello again,

I don't have the "Username-based Protection" option in my cPHulk Brute Force Protection page (my WHM version is 11.44.3 (build 1)).

I added both whostmgrd, cpaneld and sshd in separate fields, (allow for my IP and deny for ALL), but i'm still getting failed login attempt mail from different IPs, does 'system' could mean any other services beside those 3?

Please help. Thanks in advance.

keat63 · Jan 27, 2016

It may not be IP spoofing, if your'e getting lots then it's probably more likely bots or zombies. (Infected PC's)

If you don't have it already, then install CSF.
It's free, just about works out of the box, takes 10 minutes to install, and offers far more protection than CPHulk alone.

If you modify HostAccess Control, make sure you have an emergency backdoor at least.
Add a number of trusted IP's or subnets.
Maybe contact your host/server provider and add thier IP too.

My home ISP issues dynamic IP, so I added a number of class c subnets.
My work is static.

Provided my work IP and home IP's don't change at the same time, i have a way in.
And if they fail, my data centre should still be able to gain access.

Ali Nishu · Jan 27, 2016

Thanks for your valuable input. I'll read more about CSF. I'm also worried about locking myself out in the process of modifying host access control.

cPanelMichael · Jan 27, 2016

Ali Nishu said:
I don't have the "Username-based Protection" option in my cPHulk Brute Force Protection page (my WHM version is 11.44.3 (build 1)).

It's important to note that cPanel version 11.44 is end-of-life. I suggest updating to a supported version of cPanel as soon as possible.

Thank you.

Ali Nishu · Jan 30, 2016

Thanks for the replies, about updating cPanel, from the Server Configuration »Update Preferences, i see the Release Tier is set to CURRENT 11.54.0.8, but Daily Updates is set as Manual Updates Only, other two options (Operating System Package Updates and SpamAssassin® Rules Updates) are set as Automatic. Should i change Daily Updates to Automatic too? is there any chance of data loss or any sort of issues while updating? Thanks in advance.

keat63 · Feb 1, 2016

I prefer to perform manual updates.
At least this way, I can watch the forum to see if there are any issues and wait until they've been ironed out.
I perform updates every few months.

Ali Nishu · Feb 1, 2016

ok, understood, manual update is preferable.
yesterday i contacted cpanel service, those good guys updated the whm, its 54(build 8) now. i don't know if it's related or not, but i'm not receiving mails regarding login attempt, i guess i'll wait a few days and see.

Infopro · Feb 1, 2016

Ali Nishu said:
New ok, understood, manual update is preferable.

Automatic updates are fine, staying on STABLE, or RELEASE should be preferred if you're concerned about updates changing things you're not ready for.

Ali Nishu said:
i'm not receiving mails regarding login attempt, i guess i'll wait a few days and see.

Changes have been made to these alerts. Assuming you have root access to WHM, you'll find the settings here that you should go thru again to suite your needs:
WHM »Server Contacts »Contact Manager

In your cPanel, you'll find settings for an account under Contact Information.

Ali Nishu · Feb 1, 2016

i see, cPHulkd settings are set as low, therefore i'm not getting any email's anymore, if that's no big issue, then i guess it can stay like that, thanks for the info.

Infopro · Feb 1, 2016

You might want to check your settings for cPHulk Notifications, here:
Home »Security Center »cPHulk Brute Force Protection, bottom of page.

Ali Nishu · Feb 3, 2016

Thanks, i checked the CPHulk Brute Force page,

Contact Manager's notification settings for cPHulkd Brute Force is low, which seems to mean no email, but from cPHulk brute force page's configuration settings, at the bottom of page, 'Send a notification when the system detects a brute force user' checkbox is selected, aren't those conflicting then?

cPanelMichael · Feb 4, 2016

It's normal to not receive the notification if you have configured cPHulk notifications to not send you an email in "WHM >> Contact Manager".

Thank you.

Ali Nishu · Feb 7, 2016

cPanelMichael said:
It's normal to not receive the notification if you have configured cPHulk notifications to not send you an email in "WHM >> Contact Manager".

Thank you.

Understood, as long as it isn't a threat, i guess it's ok if i don't receive emails.

Thanks everyone for your valuable inputs.

Thread starter	Similar threads	Forum	Replies	Date
K	Excessive Number of Failed Login/Large Number of Failed Login	Security	5	Jan 30, 2015
K	stop annoying emails sent " Large Number of Failed Login Attempts from IP"	Security	1	Jan 20, 2015
C	Large Number of Failed Logins	Security	5	Nov 25, 2014
S	Large number of failed login attempts - my own IP	Security	6	Apr 29, 2014
M	Large Number of Failed Login Attempts	Security	2	Apr 10, 2014

Large Number of Failed Login Attempts

Member

Well-Known Member

Administrator

Member

Member

Administrator

Member

Well-Known Member

Member

Administrator

Member

Well-Known Member

Member

Well-Known Member

Member

Well-Known Member

Member

Administrator

Member