Cpanel login attack - login_only=1
I have a domain on my CPanel server which is fronted by CloudFlare and I recently noticed that sometimes the page cannot be loaded as CloudFlare cannot contact the host server. The CloudFlare IPs are whitelisted in the firewall, but it turns out that there were a large number of login attempts coming through CloudFlare, which were failing, then cphulk would eventually block the IP, resulting is the issue I was seeing.
This is a line from /usr/local/cpanel/logs/login_log:
[2015-11-13 17:07:14 +0000] info [cpsrvd] 162.158.153.107 - username "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user username (loadcpdata failed)
I don't know what domain that login attempt is hitting - only the "GET" part of the URL (URI?). It must be a domain name rather than direct IP access since it is coming from CloudFlare (presumably being routed through it).
Is there anything I can do to stop this?
Thanks,
Allan
-
You can add the CloudFlare IP address to your cPHulk white list. Documentation on this option is found at: cPHulk Brute Force Protection - Documentation - cPanel Documentation Thank you. 0 -
Yes, sorry I wasn't clear. I know I can white list the IPs and have done so that the domain isn't blocked. However, my question is more about the fact that the site is obviously under some kind of probing attack. Whitelisting IPs from where an attack doesn't seem like a particularly good idea - is there something I can do that offers a bit more refinement? 0 -
Sorry to bump this - but does anyone have any ideas? I just don't like the idea of whitelisting something that is is known to send an attack, but there doesn't appear to be many options. 0 -
Unclear on the issue here. FAILED LOGIN cpaneld: invalid cpanel user username (loadcpdata failed)
The login failed according to that.0 -
The issue is that someone is attempting a brute force attack. cphulk is blocking that, but I can't allow it to block the attack since it would block all CloudFlare users coming from that CloudFlare IP. So in effect there is no brute force protection in this setup. The log in did fail (and will continue to fail if they use the user name they are currently attempting it with), but at some point they might get lucky... If there is no option here, then so be it, but if there is something that can be done, I'd like to do so. 0 -
Sounds like a question for the folks at CloudFlare: General Troubleshooting " CloudFlare Support 0 -
:-) They said it was one for cPanel. Can I simply block the URL that they are attempting to log into? I don't think that is a service I use myself... (might be wrong!) As I say, I don't even know what domain or port it is being accessed on - the log doesn't give that information. 0 -
The system is already blocking these requests to login. The domain doesn't matter here so much, the cPanel account is not the domain of the account, its the server itself. Domain.com/cpanel is your.server.com The port being used is the same on every cPanel login. 2083 for secure, 2082 for non secure login. They said it was one for cPanel.
Why is CloudFlare attacking me?0 -
Super - thank you for the information :-) 0
Please sign in to leave a comment.
Comments
9 comments