Logwatch: cpanelhttps entries

[modom]

I see something in my logwatch and am not sure if someone called gip.com is trying to hack my server.

(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4428
(2) LOG5[3720:140155972839168]: connect_blocking: connected 127.0.0.1:2082
(1) LOG5[3720:140155972839168]: cpanelhttps connected remote server from 127.0.0.1:54363
(1) LOG5[3720:140155972839168]: Connection closed: 0 bytes sent to SSL, 2875 bytes sent to socket
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4440
(1) LOG5[3720:140155972839168]: cpanelhttps connected remote server from 127.0.0.1:54385
(1) LOG3[3720:140155972839168]: readsocket: Connection reset by peer (104)
(1) LOG5[3720:140155972839168]: Connection reset: 0 bytes sent to SSL, 2875 bytes sent to socket
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4448
(5) LOG3[3720:140155972839168]: connect_blocking: getsockopt 127.0.0.1:2082: Connection refused (111)
(5) LOG5[3720:140155972839168]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4523
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4524
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4525
(1) LOG5[3720:140155972769536]: cpanelhttps accepted connection from 70.178.141.79:4526
(1) LOG5[3720:140155972699904]: cpanelhttps accepted connection from 70.178.141.79:4527
(1) LOG5[3720:140155972630272]: cpanelhttps accepted connection from 70.178.141.79:4528
(1) LOG5[3720:140155972839168]: cpanelhttps accepted connection from 70.178.141.79:4529
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4530
(1) LOG3[3720:140155972769536]: connect_blocking: getsockopt 127.0.0.1:2082: Connection refused (111)
(1) LOG5[3720:140155972769536]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
(1) LOG3[3720:140155972699904]: connect_blocking: getsockopt 127.0.0.1:2082: Connection refused (111)
(1) LOG5[3720:140155972699904]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
(1) LOG3[3720:140155972630272]: connect_blocking: getsockopt 127.0.0.1:2082: Connection refused (111)
(1) LOG5[3720:140155972630272]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
(13) LOG3[3720:140155972560640]: connect_blocking: getsockopt 127.0.0.1:2082: Connection refused (111)
(16) LOG5[3720:140155972560640]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4531
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4532
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4533
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4535
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4536
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4539
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4540
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4546
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4547
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4548
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4549
(1) LOG5[3720:140155972560640]: cpanelhttps accepted connection from 70.178.141.79:4550
(1) LOG5[3720:140155972560640]: webmailhttps accepted connection from 72.18.39.178:26097

Is there some way to permanently block this gip.com?

 

[cPanelMichael]

Hello

You will need to use a third-party firewall such as CSF or manual IPTables rules if you want to prevent an IP address from accessing your server. I don't see any references to the domain name mentioned in your post in the logs that you provided.

Thank you.

 

[modom]

I do use csf and can only block them when I see them. The IPs in that post are from gip.net after looking them up.

 

[cPanelMichael]

There are no options in CSF that can be used to block a hostname instead of the individual IP addresses that I am aware of. There was a thread on their forums asking this question:

Block/Allow Hostnames

Thank you.

 

[modom]

Thanks for the link ... I appreciate it.

I have modsecurity on my server so will look into that one.