Login fail, login fail, login fail - login succeeds! Is it CPHulk?

cycas

• June 30, 2015 06:33

I often cannot log in to my server on the first attempt, either with SSH or SFTP. Often, my FTP program will have to retry 5-6 times before I get in (with a saved password, so it's not my typing!). This is on a number of different accounts. Or, Putty will chuck me out with a 'server unexpectedly closed connection' error several times before it allows me to log in. I don't even get to the 'login as' prompt. Once I get in, the connection is rock solid and I have no further problems. The server load average is low, the websites hosted on it are responding quickly, my monitoring tools report no problems. I noticed that the CPHulk History report shows repeated attempts at smtp authentication from many different IP addresses (using a non-existent username). Sometimes there are as many as 20 in a minute. Because they are all from different IPs, (but clearly controlled from a single source as they are all using the same non-existent username!) I can't see how to block them. Could this be the cause of the login problem? If CPHulk is getting battered by dodgy logins, is it rate limiting in some way? Or is there something else I can check? Is there a fix?

• 

  keat63

  • June 30, 2015 13:08

  In my experience, its CPhulk. Do you have CSF installed at all ?

  0
• 

  cycas

  • June 30, 2015 16:01

  Oh good, at least it's a known thing. Yes, I do have CSF installed, does that help?

  0
• 

  quizknows

  • June 30, 2015 17:48

  If you have CSF installed it's often best to just disable cphulk entirely. CSF will monitor the same logs that cphulk does. Sometimes SSH can get tied up if it's being brute forced; it only allows so many unauthenticated sessions at a time. This can cause the 'server unexpectedly closed connection' error that you received. There are several options to fix this such as adjusting the maxstartups in the sshd config, but generally it's best to just open a new alternate port in CSF and set the ssh server to run on that alternate port. This usually gets you past enough of the generic bot scans so they don't tie up all the startups (unauthed ssh sessions, i.e. active PW prompts).

  0
• 

  keat63

  • July 01, 2015 08:09

  I have CPHulk still applied as well as CSF, but then i'm no expert. I would also suggest moving SSH to a different port, somewhere below 1000. Before you do though, ensure that your IP is whitelisted in CSF, Host Access Control and CPHULK. When you've done all this, close port 22 in CSF.

  0
• 

  cycas

  • July 01, 2015 12:26

  Many thanks for the help, I will close port 22 and put SSH on another port.

  0
• 

  cPanelMichael

  • July 07, 2015 14:30

  Many thanks for the help, I will close port 22 and put SSH on another port.

  
  Hello :) You may also find this guide helpful: SSH Hardening Guide Thank you.

  0

Please sign in to leave a comment.