Aceaid

Member
Jan 13, 2015
7
0
1
Horsham, United Kingdom
cPanel Access Level
Website Owner
Hi All,

I had an error many have had, being locked out of root before you can whitelist IP.

As my Server is new I rebuilt and this time enabled emails of attacks in CPHulk as lots of people on here felt that this was the issue.

I have now got constant attempted access from Japan and China IPs. This is locking my root access so I cannot block them and/or whitelist me. Example cut of email below.

5 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.50.178

Any ideas? I have currently disabled the server in case they do get in.

Many thanks

Adrian
 

triantech

Well-Known Member
Jul 1, 2014
143
1
18
Kochi, India, India
cPanel Access Level
Root Administrator
@Aceaid,

I will recommend you to install a firewall like CSF/lFD, it is capable of blocking the IPs which conduct a brute-force attack to your services instead of blocking the actual account done by cphulkd.

You can configure CSF in such a way as to block any IPs which attempt 5 login attempts and they all fail within a time gap of, say 300s. I have found this to be effective than cphulkd.

- - - Updated - - -

@Aceaid,

To add to this, you can change the port on which SSH is listening to, most of the attacks from china are directed at SSH service running on the custom port.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Adrian.

Sounds like you're new to this. ?
I'm only about 6 weeks old myself, so not an expert, but have learnt a lot in 6 weeks.

You can install csf from ssh access or KVM if you have this.
When you've installed CSF and finally manage to get in, choose one of the default profiles.
I chose high, then fine tune it even more when you learn your way around.
CSF will be in test mode, so don't forget to enable it.
It's really pretty straight forward.

In WHM find host access control.
Add your IP (or range of IP's if your'e dynamic), and allow yourself access to WHM, FTP and SSHD.
Deny "ALL" for the same.
This will give your ip, and only your ip access to WHM, FTP and SSHD.
If you know the IP of your server provider, add them to the allow list too.
Also consider adding your home ip address/range as a fail safe.
Lets assume your'e using dynamic ip's at home, in the range 123.99.x.x, then add 123.99.0.0/255.255.0.0
each host entry will have a line each.

Make sure the deny's are at the bottom of the list.

Consider closing port 22 in csf and move SSHD to a different port number, somewhere below port 1000.
Again, a very easy simple edit.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463