The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Login fail, login fail, login fail - login succeeds! Is it CPHulk?

Discussion in 'Security' started by cycas, Jun 30, 2015.

  1. cycas

    cycas Member

    Joined:
    May 9, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I often cannot log in to my server on the first attempt, either with SSH or SFTP. Often, my FTP program will have to retry 5-6 times before I get in (with a saved password, so it's not my typing!). This is on a number of different accounts.

    Or, Putty will chuck me out with a 'server unexpectedly closed connection' error several times before it allows me to log in. I don't even get to the 'login as' prompt.

    Once I get in, the connection is rock solid and I have no further problems.

    The server load average is low, the websites hosted on it are responding quickly, my monitoring tools report no problems.

    I noticed that the CPHulk History report shows repeated attempts at smtp authentication from many different IP addresses (using a non-existent username). Sometimes there are as many as 20 in a minute. Because they are all from different IPs, (but clearly controlled from a single source as they are all using the same non-existent username!) I can't see how to block them.

    Could this be the cause of the login problem? If CPHulk is getting battered by dodgy logins, is it rate limiting in some way? Or is there something else I can check? Is there a fix?
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    In my experience, its CPhulk.
    Do you have CSF installed at all ?
     
  3. cycas

    cycas Member

    Joined:
    May 9, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Oh good, at least it's a known thing.

    Yes, I do have CSF installed, does that help?
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you have CSF installed it's often best to just disable cphulk entirely. CSF will monitor the same logs that cphulk does.

    Sometimes SSH can get tied up if it's being brute forced; it only allows so many unauthenticated sessions at a time. This can cause the 'server unexpectedly closed connection' error that you received. There are several options to fix this such as adjusting the maxstartups in the sshd config, but generally it's best to just open a new alternate port in CSF and set the ssh server to run on that alternate port. This usually gets you past enough of the generic bot scans so they don't tie up all the startups (unauthed ssh sessions, i.e. active PW prompts).
     
    cycas likes this.
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have CPHulk still applied as well as CSF, but then i'm no expert.
    I would also suggest moving SSH to a different port, somewhere below 1000.
    Before you do though, ensure that your IP is whitelisted in CSF, Host Access Control and CPHULK.
    When you've done all this, close port 22 in CSF.
     
    cycas likes this.
  6. cycas

    cycas Member

    Joined:
    May 9, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Many thanks for the help, I will close port 22 and put SSH on another port.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may also find this guide helpful:

    SSH Hardening Guide

    Thank you.
     
Loading...

Share This Page