Root login from dnsonly

uk01

• March 14, 2025 21:21

Is it normal to see regular root logins from a dnsonly server to whm? It has reverse trust as part of the dns cluster. Used to see this occasionally but this week it’s started doing it more regularly, what’s it doing?

• 

  cPRex Jurassic Moderator

  • March 17, 2025 14:15

  Hey there!  Can you provide a bit more information?  What specific login data are you seeing on your side?  Is this in /var/log/secure or somewhere else on the machine?

  0
• 

  uk01

  • March 21, 2025 05:23

  Yes, we get root login alerts from the dns only server to whostmgrd (whm)

  I remember them a while back but it’s now almost every day, however the timings seem very consistent.

  We restrict by ip address. This is a login from the dns server ip so it seems to be an automated login. Just wondered what it’s actually logging in for.

  0
• 

  uk01

  • March 21, 2025 05:25

  Ps the dns only server has reverse trust connection as the servers are in the dns cluster.

  0
• 

  William Del Piero cPanel Staff

  • March 21, 2025 15:06

  Hi,

   

  I suspect the login to WHM is a result of the DNS Cluster performing tasks such as synchronizing the DNS zones or performing a status check. Can you see similar entries that happened around the same time as the root login alert in the following log?

  /usr/local/cpanel/logs/api_tokens_log

  If the above log confirms that the login is from DNS Cluster tasks, then you can whitelist the IP of the cPanel server in WHM > cPHulk Brute Force Protection on the DNSOnly server to stop receiving these login alerts.

  0

Please sign in to leave a comment.