Stop brute force email logins?

aeroweb

Well-Known Member
Jun 4, 2004
67
0
156
CPHulk is showing many failed email login attempts from local host 127.0.0.1 and country ZZ (see attached screenshot). I am assuming these are webmail login attempts? Is there a way to stop these or at the very minimum change the configuration somehow for it to display the IP address of the offending user?
 

Attachments

ES - George

Well-Known Member
PartnerNOC
Jun 12, 2011
179
24
68
UK
cPanel Access Level
DataCenter Provider
Twitter
The only way to make it impossible to bruteforce would be to limit the service to only trusted IPs. Bruteforcing is unfortunately "normal", and something that will always happen. You can't stop it, but you can stop the effects it (i.e. a successful intrusion) by maintaining good password policies, and whilst blocking an offending IP address is helpful, a good, strong password will keep you safe.

I'd recommend reading over the cPHulk documentation if you haven't done so already: cPHulk Brute Force Protection - Version 78 Documentation - cPanel Documentation
 
  • Like
Reactions: cPanelLauren

aeroweb

Well-Known Member
Jun 4, 2004
67
0
156
We are very familiar with brute force attacks and various distributed attacks, that was not my question. We have been using a combination of CSF and other features for years which has helped mitigate most attacks against IMAP, SMTP, SSH etc...

What I am concerned about is that all the attacks showed the local IP address 127.0.0.1 rather than the offenders IP address (see previous attachment). Is there any way to get CpHulk to the attackers IP instead of 127.0.0.1? Or is there a log file I can view that shows who is accessing the webmail login page?

Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
7,993
644
263
Houston
cPanel Access Level
DataCenter Provider
Hi @aeroweb

Unfortunately, when the IP address is obfuscated like this (which is done on purpose) it's beyond cPhulk's capability to identify. cPhulk is registering the IP address that the system sees the attack from. You can see the IP being used in /var/log/maillog in most cases as a webmail login attempt would be noted there.
 

keat63

Well-Known Member
Nov 20, 2014
1,382
107
43
cPanel Access Level
Root Administrator
Would adding a rule in Host Access Control work.

Although I'm not sure of the implications of blocking 127.0.0.1