Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Limit number of brute force emails?

Discussion in 'Security' started by ard.alberto, Apr 10, 2019.

  1. ard.alberto

    ard.alberto Member

    Joined:
    Jun 11, 2018
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    cPanel Access Level:
    Reseller Owner
    Hello

    I present problems with my server.

    I activate the CSF / LFD firewall, I have blocked more than 50 countries, but I'm still getting approximately 90 notifications of IPs per hour trying to gain access by brute force to emails and Cpanel.
    Code:
    CC_DENY =
    RU,KR,VN,FR,TW,IN,SG,ID,PL,CN,BR,IE,PT,DE,IT,IR,TH,JP,UA,NL,CZ,AL,HR,HK,KZ,PK,RS,BD,BZ,TR,KE,ZW,MY,AW,RO,ZA,SC,PH,SD,HK,AU,SE,MU,LV,NA,AR,NZ,SV,BG,VE
    
    These are some of the messages:
    Code:
    Time: Wed Apr 10 14:31:01 2019 -0500
    IP: 38.140.192.165 (US/United States/-)
    Failures: 5 (cpanel)
    Interval: 3600 seconds
    Blocked: Temporary Block for 900 seconds [LF_CPANEL]
    
    Log entries:
    Code:
    [2019-04-10 13:37:14 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-10 13:51:01 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-10 14:20:17 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-10 14:29:03 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-10 14:30:56 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    
    I have the firewall properly configured, but I do not know how I can prevent so many connections from reaching my server.

    Could you help me?
     

    Attached Files:

    #1 ard.alberto, Apr 10, 2019
    Last edited by a moderator: Apr 11, 2019
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    118
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Have you tried...
    Code:
    LF_CPANEL = 5              Default: 5 [0-100]
    LF_CPANEL_PERM = 1         Default: 1 [0-604800]
    You are only blocking them for 15 minutes.
    If you have these settings for a few days then most of the offending IPs will be in the csf.deny list.
     
  3. ard.alberto

    ard.alberto Member

    Joined:
    Jun 11, 2018
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    cPanel Access Level:
    Reseller Owner
    Hi fuzzylogic

    LF_CPANEL = 5
    LF_CPANEL_PERM = 1

    I have it configured in this way, it has been active on the firewall for 24 hours, and there are still many new IPs that continue to block

    There are more than 200 IPs blocked
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    118
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I have only 30+ out of 1000 in my csf.deny that have the comment fragment....
    # lfd: (PERMBLOCK)

    This is probably due to my having cxs installed with all configserver blocklists active except CXS_LF_DIRECTADMIN and CXS_LF_WEBMIN.
    In particular, CXS_LF_CPANEL has 700+ IPs listed while CXS_LF_POP3D has 500+
    I assume the IPs being added to your csf.deny are already in these two blocklists.
     
  5. ard.alberto

    ard.alberto Member

    Joined:
    Jun 11, 2018
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    cPanel Access Level:
    Reseller Owner
    Hi fuzzylogic

    How can I activate the lists: CXS_LF_CPANEL and CXS_LF_POP3D

    Thanks.
     
  6. wahuu

    wahuu Registered

    Joined:
    Apr 11, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    US
    cPanel Access Level:
    Website Owner
    Hi fuzzylogic,

    Can you resolve similar case (lots of lfd notification emails) that I am facing as well:

    Time: Thu Apr 11 12:38:19 2019 -0700
    IP: 142.93.xxx.xxx (DE/Germany/-)
    Failures: 5 (cpanel)
    Interval: 3600 seconds
    Blocked: Permanent Block [LF_CPANEL]

    Log entries:

    [2019-04-11 12:31:51 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-11 12:50:07 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-11 12:57:23 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-11 13:16:43 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    [2019-04-11 13:18:16 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
     
    #6 wahuu, Apr 11, 2019
    Last edited by a moderator: Apr 11, 2019
  7. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    118
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I should have been more clear.
    Configserver Exploit Scanner (CXS) is a paid plugin from Configserver.
    It is not the same plugin as ConfigServer Security & Firewall (CSF).

    If you have both CXS and CSF installed then you can enable CXS IP Reputation System and edit which blocklists to use from within the plugin.

    I was not trying to advise you to get it, just trying to explain the differences in our csf.deny listings.
     
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    118
    Likes Received:
    68
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    #8 fuzzylogic, Apr 12, 2019
    Last edited: Apr 12, 2019
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,727
    Likes Received:
    436
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice