Limit number of brute force emails?

ard.alberto

Member
Jun 11, 2018
9
0
1
Colombia
cPanel Access Level
Reseller Owner
Hello

I present problems with my server.

I activate the CSF / LFD firewall, I have blocked more than 50 countries, but I'm still getting approximately 90 notifications of IPs per hour trying to gain access by brute force to emails and Cpanel.
Code:
CC_DENY =
RU,KR,VN,FR,TW,IN,SG,ID,PL,CN,BR,IE,PT,DE,IT,IR,TH,JP,UA,NL,CZ,AL,HR,HK,KZ,PK,RS,BD,BZ,TR,KE,ZW,MY,AW,RO,ZA,SC,PH,SD,HK,AU,SE,MU,LV,NA,AR,NZ,SV,BG,VE
These are some of the messages:
Code:
Time: Wed Apr 10 14:31:01 2019 -0500
IP: 38.140.192.165 (US/United States/-)
Failures: 5 (cpanel)
Interval: 3600 seconds
Blocked: Temporary Block for 900 seconds [LF_CPANEL]
Log entries:
Code:
[2019-04-10 13:37:14 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-10 13:51:01 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-10 14:20:17 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-10 14:29:03 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-10 14:30:56 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
I have the firewall properly configured, but I do not know how I can prevent so many connections from reaching my server.

Could you help me?
 

Attachments

Last edited by a moderator:

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Have you tried...
Code:
LF_CPANEL = 5              Default: 5 [0-100]
LF_CPANEL_PERM = 1         Default: 1 [0-604800]
You are only blocking them for 15 minutes.
If you have these settings for a few days then most of the offending IPs will be in the csf.deny list.
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
I have only 30+ out of 1000 in my csf.deny that have the comment fragment....
# lfd: (PERMBLOCK)

This is probably due to my having cxs installed with all configserver blocklists active except CXS_LF_DIRECTADMIN and CXS_LF_WEBMIN.
In particular, CXS_LF_CPANEL has 700+ IPs listed while CXS_LF_POP3D has 500+
I assume the IPs being added to your csf.deny are already in these two blocklists.
 

wahuu

Registered
Apr 11, 2019
1
0
1
US
cPanel Access Level
Website Owner
Hi fuzzylogic,

Can you resolve similar case (lots of lfd notification emails) that I am facing as well:

Time: Thu Apr 11 12:38:19 2019 -0700
IP: 142.93.xxx.xxx (DE/Germany/-)
Failures: 5 (cpanel)
Interval: 3600 seconds
Blocked: Permanent Block [LF_CPANEL]

Log entries:

[2019-04-11 12:31:51 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-11 12:50:07 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-11 12:57:23 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-11 13:16:43 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
[2019-04-11 13:18:16 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
 
Last edited by a moderator:

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
Hi fuzzylogic
How can I activate the lists: CXS_LF_CPANEL and CXS_LF_POP3
I should have been more clear.
Configserver Exploit Scanner (CXS) is a paid plugin from Configserver.
It is not the same plugin as ConfigServer Security & Firewall (CSF).

If you have both CXS and CSF installed then you can enable CXS IP Reputation System and edit which blocklists to use from within the plugin.

I was not trying to advise you to get it, just trying to explain the differences in our csf.deny listings.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,272
313
Houston