Skip to main content

Limit number of brute force emails?

ard.alberto
Hello I present problems with my server. I activate the CSF / LFD firewall, I have blocked more than 50 countries, but I'm still getting approximately 90 notifications of IPs per hour trying to gain access by brute force to emails and Cpanel. CC_DENY = RU,KR,VN,FR,TW,IN,SG,ID,PL,CN,BR,IE,PT,DE,IT,IR,TH,JP,UA,NL,CZ,AL,HR,HK,KZ,PK,RS,BD,BZ,TR,KE,ZW,MY,AW,RO,ZA,SC,PH,SD,HK,AU,SE,MU,LV,NA,AR,NZ,SV,BG,VE
These are some of the messages: Time: Wed Apr 10 14:31:01 2019 -0500 IP: 38.140.192.165 (US/United States/-) Failures: 5 (cpanel) Interval: 3600 seconds Blocked: Temporary Block for 900 seconds [LF_CPANEL]
Log entries: [2019-04-10 13:37:14 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-10 13:51:01 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-10 14:20:17 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-10 14:29:03 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-10 14:30:56 -0500] info [cpaneld] 38.140.192.165 - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
I have the firewall properly configured, but I do not know how I can prevent so many connections from reaching my server. Could you help me?

Comments

8 comments

Date Votes
  • fuzzylogic
    Have you tried... LF_CPANEL = 5 Default: 5 [0-100] LF_CPANEL_PERM = 1 Default: 1 [0-604800]
    You are only blocking them for 15 minutes. If you have these settings for a few days then most of the offending IPs will be in the csf.deny list.
    0
  • ard.alberto
    Hi fuzzylogic LF_CPANEL = 5 LF_CPANEL_PERM = 1 I have it configured in this way, it has been active on the firewall for 24 hours, and there are still many new IPs that continue to block There are more than 200 IPs blocked
    0
  • fuzzylogic
    I have only 30+ out of 1000 in my csf.deny that have the comment fragment.... # lfd: (PERMBLOCK) This is probably due to my having cxs installed with all configserver blocklists active except CXS_LF_DIRECTADMIN and CXS_LF_WEBMIN. In particular, CXS_LF_CPANEL has 700+ IPs listed while CXS_LF_POP3D has 500+ I assume the IPs being added to your csf.deny are already in these two blocklists.
    0
  • ard.alberto
    Hi fuzzylogic How can I activate the lists: CXS_LF_CPANEL and CXS_LF_POP3D Thanks.
    0
  • wahuu
    Hi fuzzylogic, Can you resolve similar case (lots of lfd notification emails) that I am facing as well: Time: Thu Apr 11 12:38:19 2019 -0700 IP: 142.93.xxx.xxx (DE/Germany/-) Failures: 5 (cpanel) Interval: 3600 seconds Blocked: Permanent Block [LF_CPANEL] Log entries: [2019-04-11 12:31:51 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-11 12:50:07 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-11 12:57:23 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-11 13:16:43 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user [2019-04-11 13:18:16 -0700] info [cpaneld] 149.129.xxx.xxx - - "HEAD / HTTP/1.1" FAILED LOGIN cpaneld: user name not provided or invalid user
    0
  • fuzzylogic
    Hi fuzzylogic How can I activate the lists: CXS_LF_CPANEL and CXS_LF_POP3

    I should have been more clear. Configserver Exploit Scanner (CXS) is a paid plugin from Configserver. It is not the same plugin as ConfigServer Security & Firewall (CSF). If you have both CXS and CSF installed then you can enable CXS IP Reputation System and edit which blocklists to use from within the plugin. I was not trying to advise you to get it, just trying to explain the differences in our csf.deny listings.
    0
  • fuzzylogic
    Also if emails are what you think is the problem then you should read this old thread.
    0
  • cPanelLauren
    Thanks @fuzzylogic for the great advice in this thread. @wahuu and @ard.alberto in addition to what was suggested previously you might also want to check the documentation here: Tips to Make Your Server More Secure - cPanel Knowledge Base - cPanel Documentation
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post