The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lockout from WHM and SSH due to bruteforce attacks

Discussion in 'Security' started by lordadel, Jul 2, 2014.

  1. lordadel

    lordadel Member

    Joined:
    Jul 2, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello all,

    I have a major problem. I have CPHulk enabled on my server and I am being locked out from both WHM and SSH logins.

    Luckily, I have VNCServer installed so, i can login with VNC and disable CPHulk so I could login. However, I am going to remove VNCServer from my server and I don't want to get stuck everytime because someone is brute-forcing into the server. Also, I can not whitelist my machine's IP address because I have dynamic IP from my ISP which would change everytime I restart my router.

    I thought that cphulk would only disable WHM login and I would still be able to login with SSH? or does cphulk also monitor SSH login failures?

    What are the possible solutions to this problem? Any help would be greatly appreciated.

    Thanks in advance,
    Adel.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Is the IP address assigned to you by your ISP completely different each time, or would whitelisting an IP range be helpful? Note that this option is documented here:

    cPHulk Brute Force Protection

    Thank you.
     
  3. lordadel

    lordadel Member

    Joined:
    Jul 2, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Well, I am not sure if I am assigned completely different IP address each time or not.. I will try to restart my router multiple times to check.

    Will this whitelisting work also on SSH logins? or only on WHM logins?

    Another question also, does cPhulk monitor SSH login attempts as well or only WHM login attempts?

    Thanks again :)
    Adel
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, whitelisting an IP range would whitelist the range for any service that cPHulk monitors. Also, yes, cPhulk monitors SSH login attempts.

    Thank you.
     
  5. lordadel

    lordadel Member

    Joined:
    Jul 2, 2014
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your reply. I have restarted my router few times and found that the first octet of my IP address is not changing, so I whitelisted it and there are no problems so far.

    Do you suggest any other actions I should take? should I change SSH and WHM port numbers? I am suspecting that this attack might be an automated attack which targets default ports.

    Thanks again for your support

    Best regards,
    Adel
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    669
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can not change the WHM port number, but you can restrict access to your IP address via the "Host Access Control" option in Web Host Manager. Changing the default SSH port is recommended, yes. You may also want to install a firewall such as CSF to help prevent these types of attacks.

    Thank you.
     
Loading...

Share This Page