Massive amount of failures from IP (what IP?)

try CSF, it includes the IP in alerts.

 

I agree, this info is available if you go into the cphulk stuff in "security center" in WHM but why not send it out in the email as well ?. It cant be that hard to carry the ip to a variable if they can tell the username and what they were trying to get in as. I mean in the cphulk interface we see something like :

userxxx 123.123.111.222 system 0 2008-06-07 11:09:10

Can't we get that in the email ??? Unless there is a bug and its just not carrying over as it should ?

 

Nice findings, lets wait for a official answer with a bug or a enhancement request later.

 

I am also having this same issue. At least the messages could say they are being logged in cpanel or something..This message is rather elusive. It would be nice to figure out how to add the ip.


Xavier

 

What I dont understand is how come I have my settings set to block them for 60 minutes after 3 failed login attempts, yet i get these emails every 5 mintues.

Also, I included the persons IP address in my hosts.deny file, yet I still get these emails every 5 minutes.

 

APF + BFD (rfxnetworks.com) are alot more friendlier IMO.
Regardless, with the IP blocked it doesn't explain why you're still receiving those alerts.

Is the IP listed as blocked in a "iptables -L | grep 123.123.111.222"?

How did you block that IP in /etc/hosts.deny? Did you block all?
ie. "ALL: 123.123.111.222" (ofcourse replacing 123.123.111.222 with the actual IP).