brute forcing all accounts

daveyb17

• January 02, 2014 09:43

Hi all, I am pretty new to this so i might be worrying about nothing. I can see in my login_log file that certain IP's are trying to brute force in to accounts. While i am new to this i know this is very common and "part and parcel" of running a web server. The issue i have is coming from several IP's that are systematically trying to brute force every username from cpanel. they are attempting to brute force them 3 times each then move on to the next. So ok someones trying to find a weak password, nothing out of the ordinary, but my concern is they are going through each username on the server and i mean EACH and EVERY username, they are not missing a single one out. most of the other brute force attacks are directed at either a single user account or the root account, Is this something to be concerned about? any info would be of great help. Thanks. Dave

• 

  cPanelMichael

  • January 02, 2014 15:04

  Hello :) You should ensure a firewall such as CSF is installed to help prevent the brute force attempts. In addition, you can enable cPhulk brute force protection as an additional security measure. It's difficult to say how exactly the usernames on your system were discovered. The "Security Advisor" is a good place to start in order to determine methods to increase the overall security of the server: "WHM Home " Security Center " Security Advisor" However, you may also want to consult with a qualified security specialist to have you server's security audited. Thank you.

  0
• 

  daveyb17

  • January 02, 2014 16:07

  Hi Michael, Cheers for the feed back it's very much appreciated. I have CSF and cPHulk installed/enabled already i am having a bit of a problem with Jail Apache i have it enabled but the security adviser thinks it's disabled (i'll look further into this myself). [QUOTE]However, you may also want to consult with a qualified security specialist to have you server's security audited.
  by this i take it the usernames should not be being hit like they are and this is out of the ordinary. cheers Dave

  0
• 

  quietFinn

  • January 02, 2014 17:08

  It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.

  0
• 

  quizknows

  • January 03, 2014 01:17

  [quote="quietFinn, post: 1541871">It sounds like (at least) one of the accounts in your server is already compromised, and the attacker was able to get list of all accounts in the server.
  I concur with this. Start with a clamAV and/or Maldet scan of all the public_html directories on your server and go from there.

  0

Please sign in to leave a comment.