Results 1 to 15 of 15
-
02-08-2014, 12:15 PM #1Newbie
- Join Date
- Aug 2010
- Posts
- 16
Block proxy connections to cpanel server?
We've had an interesting couple of days where someone is running some kind of script that is attempting to brute force login user accounts, FTP, and email. I have been blacklisting the attack IPs as fast as they come up but it's too time consuming. Does anyone know if there's a way to block all proxy connections from other countries or a better method of blacklisting? Also, does anyone know if the cPanel blacklisting affects FTP and email services or is it only used for website access? Any information would be much appreciated.
-
02-08-2014, 12:19 PM #2Geek Of All Trades
- Join Date
- Jul 2009
- Location
- NC
- Posts
- 938
Install and configure CSF to handle this.
This is not meant to specificly block proxy connections. It will automaticly block IPs with too many filed login attempts to various services.☆☆☆ Cool Domain Names - DomainSale.link☆☆☆
-
02-08-2014, 12:23 PM #3Newbie
- Join Date
- Aug 2010
- Posts
- 16
-
02-08-2014, 12:43 PM #4
> brute force login user accounts, FTP, and email.
Is the brute forcing causing you an issue? If not, I would just ignore it. Servers typically receive many brute force attempts every day, it's pretty normal. As long as you're using strong passwords you shouldn't have much to worry about. Also do you have cphulk enabled in WHM? You may want to tweak the settings. http://docs.cpanel.net/twiki/bin/vie...WHMDocs/CPHulk~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
~]# Try out our WordPress speed tests for yourself!
~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
~]# Don't settle for any less than the very best - come & join our family today!
-
02-08-2014, 12:56 PM #5Newbie
- Join Date
- Aug 2010
- Posts
- 16
I haven't seen it cause an issue except for just being annoying. Most of the time the account name structure they're using isn't even correct so no password combination could possibly ever work. This leads me to believe it's just some script kiddie who found a brute force script (probably coded for multiple platforms and not just cPanel). I do indeed have cphulk enabled but I may need to tweak it a little. I know it's working because it dropped the hammer on me while connected to SSH and had to whitelist my connection. So far the csf looks promising as well and if possible I'll get it and cphulk tweaked to resolve this. Thank you both for the assistance, it's much appreciated.
-
02-08-2014, 01:17 PM #6Web Hosting Master
- Join Date
- Sep 2010
- Location
- /usr/bin/fail
- Posts
- 859
Install CSF Firewall then go edit /etc/csf/csf.blocklists and remove the # before each list you would like to use.
Then restart csf and lfd and your good to go.
Maximind proxy list is the last one on the bottom, but I would probably use the TOR Exit node list also.
CSF also does bruteforce banning for different service and you can either temp ban or perm ban once the threshold has been met.
-
02-08-2014, 01:24 PM #7Newbie
- Join Date
- Aug 2010
- Posts
- 16
-
02-10-2014, 11:03 AM #8Newbie
- Join Date
- Aug 2010
- Posts
- 16
I just wanted to post a follow-up in case anyone else stumbles across this. The included block lists in csf have made a big difference. We still get an attack every once in a while but it has been drastically reduced. I'd recommend this to everyone, even if you don't have the issue yet. It would have been a great preventative measure had I known about it before. Thanks to everyone who helped get this worked out.
-
02-10-2014, 11:35 AM #9Web Host Reviewer
- Join Date
- Feb 2006
- Location
- Kepler 62f
- Posts
- 16,703
I saw this on one of my servers last week. CSF blocked about 75 IPs within an hour or two. They were all cheap VPS plans from the likes of Psychz, OVH, Krypt, EGI, etc --- total crap hosts in my opinion, because a majority of their users are spammers and script kiddies. It's getting where I've started to firewall entire ASNs for dirty hosting ranges, in addition to certain country blocks (mostly China, Russia -- places where I have no legit traffic sources).
|| Need a good host?
|| See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
||
-
02-10-2014, 11:57 AM #10Newbie
- Join Date
- Aug 2010
- Posts
- 16
I completely agree. It didn't take me long to abandon the single IP bans. If it was outside the US I just started /16 banning them all. Most of out attacks seem to have originated from Vietnam, Philippines, and India. There were a lot of middle eastern countries as well. As fast as the attacks were coming in it was either a distributed attack (unlikely) or some script kiddie found a script that jumps proxies. Not really a major deal but the constant stream of notifications hitting my cell phone was extremely annoying.
-
02-10-2014, 11:59 AM #11Web Hosting Master
- Join Date
- Sep 2010
- Location
- /usr/bin/fail
- Posts
- 859
Good to hear that got you fixed up. Those block list used to be in the config but they moved it out to its own file to enable so a lot of people that are new to CSF do not know about it since no one ever reads the manual.
-
02-10-2014, 12:04 PM #12Newbie
- Join Date
- Aug 2010
- Posts
- 16
-
02-10-2014, 12:21 PM #13Newbie
- Join Date
- Mar 2007
- Posts
- 12
Additionally, I would recommend to enable cPHulk protection.
cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected. It protects: cPanel, WHM, SSH, FTP, IMAP, and POP3 from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack. You can even customize authentication thresholds and lock out times!. You can also set blacklists and whitelists for IP ranges. Refer cPanel documentation for more details
-
02-10-2014, 03:26 PM #14Web Hosting Master
- Join Date
- Sep 2010
- Location
- /usr/bin/fail
- Posts
- 859
Actually CSF bruteforce protection replaces cpHulk. So you need to disable cpHulk if you have the bruteforce protection in CSF turned on.
-
02-10-2014, 03:29 PM #15Web Hosting Guru
- Join Date
- Sep 2008
- Location
- U.K
- Posts
- 278
███ ★ ZonedHost.com & ZonedHost.co.uk - Since 2009.
███ ★ Specialists in cPanel 11 |Softaculous Shared & Reseller Web Hosting.
███ ★ Linux OpenVZ VPS Hosting | Shoutcast Hosting | Game Hosting.
███ ★ EU/UK Servers | High Grade Hardware | 99+% Uptime | + Much More...
Similar Threads
-
ip6tables block connections
By pleiades in forum Dedicated ServerReplies: 4Last Post: 05-21-2012, 06:40 PM -
Massive connections. How to block?
By Seeyabye in forum Hosting Security and TechnologyReplies: 10Last Post: 03-26-2010, 07:17 AM -
How to auto block IP when the connections reach to 100
By Abdo-sa in forum Hosting Security and TechnologyReplies: 8Last Post: 05-06-2007, 03:51 AM -
Script to block connections?
By NameSniper in forum Hosting Security and TechnologyReplies: 7Last Post: 09-27-2006, 08:52 AM -
Block External Connections
By the_danzel in forum Hosting Security and TechnologyReplies: 1Last Post: 01-25-2006, 06:08 PM