POST /login/?login_only=1 HTTP/1.1 entries in access log

Amgeek · Sep 6, 2016

After being warned of "Failed attempts" of loggin by the firewall I figure out how to see what attempts were successful in access.log. I see a several entries that I am not sure about. They are similar to the following:

ip address "get /http/1.1"
ip address "Post/login/?login_only=1 HTTP/1.1"

Are these usual entries?
What do they mean?

Thanks
Ed

Infopro · Sep 6, 2016

More of the message should say:
FAILED LOGIN cpaneld: invalid cpanel user

Amgeek · Sep 6, 2016

Infopro said: ↑

More of the message should say:
FAILED LOGIN cpaneld: invalid cpanel user
Click to expand...

Thanks.

Don't see that in the access.log. I looked there because I saw that
The file "login_log" does not include successful authentications. So, since it is in the access.log file I assumed it had been successfull and so was wondering what the codes meant.

Infopro · Sep 6, 2016

Do you have CSF installed? I get emails about these failed logins all the time.

Amgeek · Sep 7, 2016

Infopro said: ↑

Do you have CSF installed? I get emails about these failed logins all the time.
Click to expand...

Yes I do. That is what peaked my interest. Have gotten emails saying so and so failed attempt to log into one account or another (usually not a real account name but close enough to make you think they knew something). I understand failed attempts are to be expected and it is good news - the firewall is really working. My concern was what if they succeed, how would I know, that led me to the access.log which, as I understand it, logs successful attempts. I find several entries in the access.log from suspicious IPs with the codes in my first post. I don't know what those codes mean they succeeded in doing.

Infopro · Sep 7, 2016

Amgeek said: ↑

usually not a real account name but close enough to make you think they knew something
Click to expand...

When you create an account, if you don't specify a unique username the system defaults to using some part of the domain name itself. I suppose that's one reason why the attempted login might be close at times.

Enabling cPanel login alerts in the users cPanel in Contact Preferences, configuring cPHulk and CSF for logins, can all be useful. Enabling two-Factor Authentication is a really good way to lock user accounts down as well. Using Two-Factor for all logins you possibly can, including on these very forums, is suggested.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

POST /login/?login_only=1 HTTP/1.1 entries in access log

Amgeek Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Amgeek Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Amgeek Member

Infopro cPanel Sr. Product Evangelist
Staff Member

New Thread Upgrade PostgreSQL Version?

POST requests for script are taking 3 minutes

Server down after reboot command (post 76 upgrade)

Multidomain SSL & post_virtualhost_2.conf

Which Script Installs PostgreSQL on a cPanel & WHM server?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

POST /login/?login_only=1 HTTP/1.1 entries in access log

Amgeek Member

Infopro cPanel Sr. Product Evangelist Staff Member

Amgeek Member

Infopro cPanel Sr. Product Evangelist Staff Member

Amgeek Member

Infopro cPanel Sr. Product Evangelist Staff Member

New Thread Upgrade PostgreSQL Version?

POST requests for script are taking 3 minutes

Server down after reboot command (post 76 upgrade)

Multidomain SSL & post_virtualhost_2.conf

Which Script Installs PostgreSQL on a cPanel & WHM server?

Share This Page

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member