Lockout from WHM and SSH due to bruteforce attacks

[lordadel]

Hello all,

I have a major problem. I have CPHulk enabled on my server and I am being locked out from both WHM and SSH logins.

Luckily, I have VNCServer installed so, i can login with VNC and disable CPHulk so I could login. However, I am going to remove VNCServer from my server and I don't want to get stuck everytime because someone is brute-forcing into the server. Also, I can not whitelist my machine's IP address because I have dynamic IP from my ISP which would change everytime I restart my router.

I thought that cphulk would only disable WHM login and I would still be able to login with SSH? or does cphulk also monitor SSH login failures?

What are the possible solutions to this problem? Any help would be greatly appreciated.

Thanks in advance,
Adel.

 

[cPanelMichael]

Hello

Is the IP address assigned to you by your ISP completely different each time, or would whitelisting an IP range be helpful? Note that this option is documented here:

cPHulk Brute Force Protection

Thank you.

 

[lordadel]

Hello Michael,

Well, I am not sure if I am assigned completely different IP address each time or not.. I will try to restart my router multiple times to check.

Will this whitelisting work also on SSH logins? or only on WHM logins?

Another question also, does cPhulk monitor SSH login attempts as well or only WHM login attempts?

Thanks again
Adel

 

[cPanelMichael]

Yes, whitelisting an IP range would whitelist the range for any service that cPHulk monitors. Also, yes, cPhulk monitors SSH login attempts.

Thank you.

 

[lordadel]

Thanks for your reply. I have restarted my router few times and found that the first octet of my IP address is not changing, so I whitelisted it and there are no problems so far.

Do you suggest any other actions I should take? should I change SSH and WHM port numbers? I am suspecting that this attack might be an automated attack which targets default ports.

Thanks again for your support

Best regards,
Adel

 

[cPanelMichael]

Do you suggest any other actions I should take? should I change SSH and WHM port numbers? I am suspecting that this attack might be an automated attack which targets default ports.

You can not change the WHM port number, but you can restrict access to your IP address via the "Host Access Control" option in Web Host Manager. Changing the default SSH port is recommended, yes. You may also want to install a firewall such as CSF to help prevent these types of attacks.

Thank you.