Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

Allow only certain countries's IP to access root

crliuh
Hi, Recently i've been blocked by cphulk brute force protection due to massive login failures did by hackers. below are the logs, 116.10.191.172 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.172 2014-07-10 02:58:09 2014-07-24 02:58:09 61.174.51.221 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.51.221 2014-07-08 16:29:48 2014-07-22 16:29:48 116.10.191.226 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.226 2014-07-08 12:25:40 2014-07-22 12:25:40 116.10.191.213 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.213 2014-07-08 14:34:32 2014-07-22 14:34:32 116.10.191.209 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.209 2014-07-08 15:18:08 2014-07-22 15:18:08 1.93.26.149 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 1.93.26.149 2014-07-08 20:23:12 2014-07-22 20:23:12 61.174.51.203 30 failed login attempts to account admin (system) -- Large number of attempts from this IP: 61.174.51.203 2014-07-08 20:42:57 2014-07-22 20:42:57 116.10.191.195 30 failed login attempts to account admin (system) -- Large number of attempts from this IP: 116.10.191.195 2014-07-08 22:46:22 2014-07-22 22:46:22 60.173.9.26 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 60.173.9.26 2014-07-09 01:28:05 2014-07-23 01:28:05 61.174.50.213 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.50.213 2014-07-09 12:41:26 2014-07-23 12:41:26 116.10.191.204 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.204 2014-07-09 07:26:09 2014-07-23 07:26:09 218.16.129.142 30 failed login attempts to account calm (system) -- Large number of attempts from this IP: 218.16.129.142 2014-07-09 12:41:30 2014-07-23 12:41:30 116.10.191.210 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.210 2014-07-09 22:04:09 2014-07-23 22:04:09 116.10.191.236 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.236 2014-07-09 20:52:25 2014-07-23 20:52:25 61.147.103.185 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.185 2014-07-10 00:08:37 2014-07-24 00:08:37 61.147.103.71 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.71 2014-07-10 00:23:50 2014-07-24 00:23:50 193.107.17.72 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 193.107.17.72 2014-07-09 23:44:35 2014-07-23 23:44:35 60.173.9.19 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 60.173.9.19 2014-07-10 01:57:40 2014-07-24 01:57:40 116.10.191.163 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 116.10.191.163 2014-07-10 01:44:13 2014-07-24 01:44:13 61.147.103.169 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.147.103.169 2014-07-10 03:26:02 2014-07-24 03:26:02 61.174.51.194 30 failed login attempts to account root (system) -- Large number of attempts from this IP: 61.174.51.194
question is, how can i allow only my country or my computer to access SSH root? This Brute Force Protection makes me unable to login to my own WHM and SSH. please advise. thanks.

Comments

9 comments

Date Votes
  • iserversupport
    You can do that using WHM using Security Center >> Host Access Control. There you can deny ssh for all IP except one.
    0
  • crliuh
    [quote="iserversupport, post: 1683102">You can do that using WHM using Security Center >> Host Access Control. There you can deny ssh for all IP except one.
    Thanks iserversupport. by any chance it can unblock just from the specified country's IP?
    0
  • triantech
    [quote="crliuh, post: 1683221"> by any chance it can unblock just from the specified country's IP?
    crliuh, You can use csf ( default firewall ) to block the IPs from specified countries. In the csf configuration file "/etc/csf/csf.conf" there is an option to block access from an IP range by using country code. CC_DENY = "" Specify the country codes over there ^ Use this link to find the allocations of IPs to countries and their codes.
    0
  • triantech
    [quote="crliuh, post: 1683221"> by any chance it can unblock just from the specified country's IP?
    crliuh, You can use csf ( default firewall ) to block the IPs from specified countries. In the csf configuration file "/etc/csf/csf.conf" there is an option to block access from an IP range by using country code. CC_DENY = "" Specify the country codes over there ^ You can find the respective country codes and IPs using a quick google search. Thankx
    0
  • quizknows
    Keep in mind blocking or allowing entire countries with CSF creates a very large amount of iptables rules and may affect performance. I simply recommend changing your SSH port to a non-default port number. This stops the majority of random bruteforce scans on SSH. Alternately, you could close the SSH port in the firewall config and only whitelist the IP that you are working from. If you did this with CSF, you could always log in to WHM to whitelist a new IP through the configserver panel. Also, disable cphulk, it's not good for much other than locking you out of your own server.
    0
  • crliuh
    [quote="triantech, post: 1683242">crliuh, You can use csf ( default firewall ) to block the IPs from specified countries. In the csf configuration file "/etc/csf/csf.conf" there is an option to block access from an IP range by using country code. CC_DENY = "" Specify the country codes over there ^ You can find the respective country codes and IPs using a quick google search. Thankx
    thanks triantech, another concern arised by AMquizknows, large amount of ip tables rules may affect performance. :confused: [COLOR="silver">- - - Updated - - - [quote="quizknows, post: 1683352">Keep in mind blocking or allowing entire countries with CSF creates a very large amount of iptables rules and may affect performance. I simply recommend changing your SSH port to a non-default port number. This stops the majority of random bruteforce scans on SSH. Alternately, you could close the SSH port in the firewall config and only whitelist the IP that you are working from. If you did this with CSF, you could always log in to WHM to whitelist a new IP through the configserver panel. Also, disable cphulk, it's not good for much other than locking you out of your own server.
    because my ips are dynamic that's y i need to fixed the ip within the country range. the best option would be only authentic base from computers. if disabled cphulk there will be more login failed attempt. i don't think that's good for my server right?
    0
  • triantech
    crliuh, A quick whois on the IPs which are attacking shows that they are from China. So i think instead of allowing country lists, try to block the IP's from China ( if you do not have any valid requests coming from there ). And yes, if the CC allow and CC deny list is filled with lotta countries, performance might get affected. Also, as quizknows suggested why not change the default SSH port and in addition, disable direct root login and create a su user.
    0
  • quizknows
    [quote="crliuh, post: 1683462">if disabled cphulk there will be more login failed attempt. i don't think that's good for my server right?
    cPhulk doesn't block IPs, it only blocks targeted accounts, which is why it's basically worthless. Use CSF/LFD; it will block the attacking IP addresses without locking you out. If you have CSF, then cphulk is unnecessary; the most it's going to do is stop you from logging in during an attack. Changing your SSH port, and as traintech suggested, a su user with direct root login disabled, is a more reasonable and efficient solution than blocking or allowing entire countries worth of IP addresses.
    0
  • georgeb
    [quote="crliuh, post: 1682972"> question is, how can i allow only my computer to access SSH root? please advise. thanks.
    Just add this line in your file /etc/ssh/sshd_config : AllowUsers root@you_rip_address_here
    After this only your IP address can access server via ssh (with root user) Regards
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post