DNS Only and Brute force lockout

Jmz

• December 16, 2013 11:48

I have 2 DNS Only servers setup in a cluster with all my cPanel VPSs. If either one gets brute forced (obviously failed) it will lock root account. Which is normal behavior and acceptable. The problem is that when root account is locked, the servers can no longer access whichever NS was brute forced. So, I get emails alerting me to DNS Cluster errors all day. Which in reality, they don't exist and its difficult to determine whether its a real failure of DNS or just a brute force lockout. Is there a way to prevent blocking access to accounts using the remote access key? Or maybe another workaround where cPanel servers can still query NS servers while brute force lockout is in effect on root account?

• 

  simonas

  • December 16, 2013 17:16

  Hi, Did you saw that CpHulk brute force protection has whitelist capability? Go to cPHulk Brute Force Protection Select White/Black List Management And add your servers ips in White list. They will be allowed to connect.

  0
• 

  Jmz

  • December 16, 2013 17:38

  Thanks. Yeah I saw that but I guess I misinterpreted what it was for. But I added my IPs so we will see.

  0
• 

  cPanelMichael

  • December 16, 2013 17:48

  Hello :) You may want to consider implementing a third-party firewall such as CSF/LFD and then disabling cPhulkd if your servers are under a consistent brute force attack. While cPhulkd is helpful, it will not block the offending IP addresses, which is something a firewall can do. This will help prevent cases when the "root" user is locked out, resulting in failed authentication attempts from the hosting server. Thank you.

  0
• 

  Jmz

  • December 16, 2013 18:15

  [quote="cPanelMichael, post: 1530692">Hello :) You may want to consider implementing a third-party firewall such as CSF/LFD and then disabling cPhulkd if your servers are under a consistent brute force attack. While cPhulkd is helpful, it will not block the offending IP addresses, which is something a firewall can do. This will help prevent cases when the "root" user is locked out, resulting in failed authentication attempts from the hosting server. Thank you.
  Well it isn't quite all day events. Its just 6 WHM servers trying to update DNS and I get cluster errors from those in a 10 min lockout window. I would maybe say it happens twice a day. But I usually blacklist IPs that are trying to brute force root especially on the NS.

  0

Please sign in to leave a comment.