cPHulk failed mail login
I've recently set up my first VPS, which is running cPHulk, and cPHulk has reported several failed login attempts:
I imagine this is just a run of the mill thing, but as I'm new to server administration I don't want to ignore any potential security holes! Based on cPHulk's report, does this sound like a benign or a malicious intrusion? Is it anything I need to be concerned about? Do I need to take any further action, other than blacklisting the intruder's IP in cPHulk? Lastly, is there any significance to the username users@192? Thanks for any advice.
5 failed login attempts to account users@192 (mail) -- Large number of attempts from this IP: xxx.xxx.xxx.xxx
I imagine this is just a run of the mill thing, but as I'm new to server administration I don't want to ignore any potential security holes! Based on cPHulk's report, does this sound like a benign or a malicious intrusion? Is it anything I need to be concerned about? Do I need to take any further action, other than blacklisting the intruder's IP in cPHulk? Lastly, is there any significance to the username users@192? Thanks for any advice.
-
Its common when you have many websites or few famous websites on your server. Install CSF firewall (if you don't have on your server). Using CSF firewall, you can block IP range. Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16 0 -
[quote="ravi9, post: 1502372">Install CSF firewall (if you don't have on your server). Using CSF firewall, you can block IP range. Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16
It's reassuring to hear that these sort of attempts are normal and not something to be concerned about. Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already :)0 -
[quote="jnicol, post: 1502801"> Thanks for the CSF suggestion. I do have CSF installed and I checked - it blacklisted the IP already :)
CSF by default will not block IP range. It will only block one IP at one time. If you are getting repeated alert mails from particular IP range, better block complete IP range manually in CSF firewall. Like to block, 111.111.xxx.xxx you can block IP 111.111.0.0/16 I also follow this rule on my server :)0 -
[quote="ravi9, post: 1503022">CSF by default will not block IP range. It will only block one IP at one time.
I'll make sure to block the range manually in CSF. Thanks for the tip!0 -
Hello :) I would be cautious of blocking an entire range based on a single cPhulkd notification. It's possible that it could be a legitimate user that forgot their password, and blocking an entire range could lead to them being blocked from the entire server. Thank you. 0 -
Well in this case I'm the only user, so it's definitely not legitimate! But I hear what you're saying, and perhaps a good policy would be to block the single IP, and only block the range if there is another attempt from the same range. 0
Please sign in to leave a comment.
Comments
6 comments