Solved

cPanel / WHM "Massive Amount of Failures from IP" notices. What should I do?

Posted on 2008-10-01
4
518 Views
Last Modified: 2012-05-05
I have a dedicated server. I use cPanel / Web Host Manager to administer it. cPanel is sending me scores of notices headed "Massive Amount of Failures from IP". The body of the message states "5 login failures attempts to account XXXXX (system) -- too many attempts from this ip" where XXXXX is, I assume, a potential user name such as  rhett.

I assume they haven't broken in yet, or else the messages would stop. I changed my server password about a week ago, and since then these attacks have dramatacally increased. Someone may have had access previously and is upset that they lost it. (or am I just being paranoid?)

How do I harden my system to make sure they don't break in? Since I have been targeted, is there any way to avoid the attack?

I am running REDHAT Enterprise 3 and using WHM 11.23.2 cPanel 11.23.6-R27698

I am a newbie at server administration, so I would appreciate the help of an experienced expert.

Thank you

Brian
0
Comment
Question by:birwin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 13

Expert Comment

by:Rowley
ID: 22622146
Are the attempts coming from an internal, or external address?
Is the address the same or is it from multiple sources?
Can you block the IP address completely at the firewall?
0
 
LVL 9

Expert Comment

by:khaledf
ID: 22639130
this could be the case, someone is trying a brute force attack to find the password.
you don't have to worry if your password is very stong. it will take them ages to break it.

the draw back is that these requests will slow your server.
0
 
LVL 9

Accepted Solution

by:
khaledf earned 500 total points
ID: 22639235
also see if you have this log file here
/usr/local/cpanel/logs/cphulkd_errors.log

or somewhere else.

this means you are protected against brute force attacks
0
 
LVL 6

Author Closing Comment

by:birwin
ID: 31502262
Thank you. I did have that file. My password uses both letters and numbers, so I think its solid.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Suggested Courses

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question