cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).
This was back in October/November!!
Seems it has been rolling around for a very long time.
In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
...and pray if you provide your ssh credentials to a third party
I heard the Grsecurity Kernel is not vulnerable to this.
1h.com products are vulnerables, since they protect against barely nothing and only provide very old binaries. We got infected while using them. You need to protect the kernel first.
Best option to go is CloudLinux on cPanel IMHO. I did not tried BetterLinux, but i'm not sure it would be benefical for this kind of thing. Seems like it's working pretty much like 1h products.