The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"WHM/cPanel root access alert" from DNS cluster servers

Discussion in 'Security' started by Bdzzld, Oct 31, 2011.

  1. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    I've recently set up a new cPanel servers and have added the server to four other servers in an already present DNS cluster. After doing this I always receive an "WHM/cPanel root access alert" e-mail from every server in this DNS cluster as soon as a log onto WHM. Is this normal behaviour?

    I've setup CSF/LFD on all servers, but only receive these alerts from this new server.

    Now I know I can add the IP-addresses of these servers to the csf.allow file, but I just wanted to know if this new server is setup correctly as I've never seen this kind of behaviour before.

    Thanks.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Is cPHulk Brute Force Protection enabled? This will also send out an email when: "Send a notification upon successful root login when the IP is not whitelisted:"
     
  3. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi InfoPro,

    Thanks for your suggestion. cPHulk was indeed enabled. I've just diabled it as CSF/LFD will do a far better job i.m.o.

    The alerts are actually send out by LFD :

    Code:
    lfd on server.domainname.xxx: WHM/cPanel root access alert from xxx.xx.xxx.xxx
    
     
  4. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    thats normal since they sync the changes.
    did you press sync changes or standalone server?
     
  5. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Three of the four servers are used as DNS server (sync) and the other one is only using it (standalone).
    The funny thing is all servers create the alert; also the standalone one. Besides that, only this new server generates these alerts and not also the other servers in the DNS cluster...
     
  6. garrettp

    garrettp Well-Known Member
    PartnerNOC

    Joined:
    Jun 18, 2004
    Messages:
    312
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Are all of the servers running 11.30? If not this may explain the differences as 11.28 -> 11.30 was a major update.

    My suggestion would be to add each of the clustered servers to the csf.ignore file since they are each a trusted source.
     
  7. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    All servers are running the latest release version of cPanel. So, that's not it.
    The ony thing I can think of is the difference in the version of BIND.
    This new server is running CentOS 6 with its newest version of BIND and the other servers are much older running CentOS 4.x and 5.x.
     
Loading...

Share This Page