Results 1 to 15 of 15
  1. #1

    Block proxy connections to cpanel server?

    We've had an interesting couple of days where someone is running some kind of script that is attempting to brute force login user accounts, FTP, and email. I have been blacklisting the attack IPs as fast as they come up but it's too time consuming. Does anyone know if there's a way to block all proxy connections from other countries or a better method of blacklisting? Also, does anyone know if the cPanel blacklisting affects FTP and email services or is it only used for website access? Any information would be much appreciated.

  2. #2
    Join Date
    Jul 2009
    Location
    NC
    Posts
    938
    Install and configure CSF to handle this.

    This is not meant to specificly block proxy connections. It will automaticly block IPs with too many filed login attempts to various services.
    ☆☆☆ Cool Domain Names - DomainSale.link☆☆☆

  3. #3
    Quote Originally Posted by GORF View Post
    Install and configure CSF to handle this.

    This is not meant to specificly block proxy connections. It will automaticly block IPs with too many filed login attempts to various services.
    Thank you for the link and quick response. I'll take a look at it and hope it takes care of the problem.

  4. #4
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,636
    > brute force login user accounts, FTP, and email.

    Is the brute forcing causing you an issue? If not, I would just ignore it. Servers typically receive many brute force attempts every day, it's pretty normal. As long as you're using strong passwords you shouldn't have much to worry about. Also do you have cphulk enabled in WHM? You may want to tweak the settings. http://docs.cpanel.net/twiki/bin/vie...WHMDocs/CPHulk
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  5. #5
    Quote Originally Posted by Ethernet Servers View Post
    > brute force login user accounts, FTP, and email.

    Is the brute forcing causing you an issue? If not, I would just ignore it. Servers typically receive many brute force attempts every day, it's pretty normal. As long as you're using strong passwords you shouldn't have much to worry about. Also do you have cphulk enabled in WHM? You may want to tweak the settings. http://docs.cpanel.net/twiki/bin/vie...WHMDocs/CPHulk
    I haven't seen it cause an issue except for just being annoying. Most of the time the account name structure they're using isn't even correct so no password combination could possibly ever work. This leads me to believe it's just some script kiddie who found a brute force script (probably coded for multiple platforms and not just cPanel). I do indeed have cphulk enabled but I may need to tweak it a little. I know it's working because it dropped the hammer on me while connected to SSH and had to whitelist my connection. So far the csf looks promising as well and if possible I'll get it and cphulk tweaked to resolve this. Thank you both for the assistance, it's much appreciated.

  6. #6
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    859
    Install CSF Firewall then go edit /etc/csf/csf.blocklists and remove the # before each list you would like to use.

    Then restart csf and lfd and your good to go.

    Maximind proxy list is the last one on the bottom, but I would probably use the TOR Exit node list also.

    CSF also does bruteforce banning for different service and you can either temp ban or perm ban once the threshold has been met.

  7. #7
    Quote Originally Posted by FLDataTeK View Post
    Install CSF Firewall then go edit /etc/csf/csf.blocklists and remove the # before each list you would like to use.

    Then restart csf and lfd and your good to go.

    Maximind proxy list is the last one on the bottom, but I would probably use the TOR Exit node list also.

    CSF also does bruteforce banning for different service and you can either temp ban or perm ban once the threshold has been met.
    Thanks for the tip. I don't know why it didn't occur to me but I completely forgot about Tor traffic.

  8. #8
    I just wanted to post a follow-up in case anyone else stumbles across this. The included block lists in csf have made a big difference. We still get an attack every once in a while but it has been drastically reduced. I'd recommend this to everyone, even if you don't have the issue yet. It would have been a great preventative measure had I known about it before. Thanks to everyone who helped get this worked out.

  9. #9
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    Quote Originally Posted by Bestrafung View Post
    We've had an interesting couple of days where someone is running some kind of script that is attempting to brute force login user accounts, FTP, and email.
    I saw this on one of my servers last week. CSF blocked about 75 IPs within an hour or two. They were all cheap VPS plans from the likes of Psychz, OVH, Krypt, EGI, etc --- total crap hosts in my opinion, because a majority of their users are spammers and script kiddies. It's getting where I've started to firewall entire ASNs for dirty hosting ranges, in addition to certain country blocks (mostly China, Russia -- places where I have no legit traffic sources).
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  10. #10
    Quote Originally Posted by kpmedia View Post
    I saw this on one of my servers last week. CSF blocked about 75 IPs within an hour or two. They were all cheap VPS plans from the likes of Psychz, OVH, Krypt, EGI, etc --- total crap hosts in my opinion, because a majority of their users are spammers and script kiddies. It's getting where I've started to firewall entire ASNs for dirty hosting ranges, in addition to certain country blocks (mostly China, Russia -- places where I have no legit traffic sources).
    I completely agree. It didn't take me long to abandon the single IP bans. If it was outside the US I just started /16 banning them all. Most of out attacks seem to have originated from Vietnam, Philippines, and India. There were a lot of middle eastern countries as well. As fast as the attacks were coming in it was either a distributed attack (unlikely) or some script kiddie found a script that jumps proxies. Not really a major deal but the constant stream of notifications hitting my cell phone was extremely annoying.

  11. #11
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    859
    Good to hear that got you fixed up. Those block list used to be in the config but they moved it out to its own file to enable so a lot of people that are new to CSF do not know about it since no one ever reads the manual.

  12. #12
    Quote Originally Posted by FLDataTeK View Post
    Good to hear that got you fixed up. Those block list used to be in the config but they moved it out to its own file to enable so a lot of people that are new to CSF do not know about it since no one ever reads the manual.
    Haha, I try to read the manuals but any more manuals and man pages should just have a TL;DR section for those of us too busy to read a novel.

  13. #13
    Additionally, I would recommend to enable cPHulk protection.

    cPHulk protects your vital services by disabling authentication to those services after a brute force attack is detected. It protects: cPanel, WHM, SSH, FTP, IMAP, and POP3 from brute force authentication attacks. cPHulk will remain transparent to the attacker whose authentication attempts will feel normal, even while authentication is disabled. Thus, you can get substantial information about the attack. You can even customize authentication thresholds and lock out times!. You can also set blacklists and whitelists for IP ranges. Refer cPanel documentation for more details

  14. #14
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    859
    Actually CSF bruteforce protection replaces cpHulk. So you need to disable cpHulk if you have the bruteforce protection in CSF turned on.

  15. #15
    Join Date
    Sep 2008
    Location
    U.K
    Posts
    278
    Quote Originally Posted by FLDataTeK View Post
    Actually CSF bruteforce protection replaces cpHulk. So you need to disable cpHulk if you have the bruteforce protection in CSF turned on.
    I have seen both work in tandem together. Not best advised but it does work without too many conflicts (CSF seems to take priority).
    ZonedHost.com & ZonedHost.co.uk - Since 2009.
    ★ Specialists in cPanel 11 |Softaculous Shared & Reseller Web Hosting.
    ★ Linux OpenVZ VPS Hosting | Shoutcast Hosting | Game Hosting.
    ★ EU/UK Servers | High Grade Hardware | 99+% Uptime | + Much More...

Similar Threads

  1. ip6tables block connections
    By pleiades in forum Dedicated Server
    Replies: 4
    Last Post: 05-21-2012, 06:40 PM
  2. Massive connections. How to block?
    By Seeyabye in forum Hosting Security and Technology
    Replies: 10
    Last Post: 03-26-2010, 07:17 AM
  3. How to auto block IP when the connections reach to 100
    By Abdo-sa in forum Hosting Security and Technology
    Replies: 8
    Last Post: 05-06-2007, 03:51 AM
  4. Script to block connections?
    By NameSniper in forum Hosting Security and Technology
    Replies: 7
    Last Post: 09-27-2006, 08:52 AM
  5. Block External Connections
    By the_danzel in forum Hosting Security and Technology
    Replies: 1
    Last Post: 01-25-2006, 06:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •