Large Number of Failed Login Attempts

In case you have received an email notification like this from your cPanel server:

—- —- —- —-

Subject: Large Number of Failed Login Attempts from IP

—- —- —- —-

5 failed login attempts to account root (system) — Large number of attempts from this IP:

Reverse DNS: host.server.tld

Origin Country: <Country> (<2-letter country code>)

Please use the following links to add to the black list:

Single Ip: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=
/24: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=
/16: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=

Please use the following links to add to the white list:

Single Ip: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=
/24: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=
/16: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=

—- —- —- —-

Read on to understand the necessary further action(s).

What does this message mean

cPanel has a security service built in that protects against bruteforce login attacks. It’s called cPHulk Brute Force Protection.

Bruteforce means an attack method involving automated attempts to guess the password, so if someone has entered incorrect passwords several times – then cPHulk would blocks the IP address (for a certain period of time) and send a message to the root contact of the server.

What should be done

Consider the following steps.

Add your own IP to the White List

This will prevent cPHulk from blocking your IP in case you’ve entered wrong password a few times.

  • Log into WHM.
  • Go to Security Center -> cPHulk Brute Force Protection.
  • Click White/Black List Management.

cPHulk List Management

  •  Enter your IP in White List (Trusted IP List) field and click Quick Add.

Add offending IP(s) to the Black List

If someone else tried to log into your server via bruteforce attempts, you will see this in Login/Brute History Report tab.

In case you’re seeing the same IP with numerous failed logins you should consider blocking it via White/Black List Management:

  • Go to White/Black List Management tab
  • Paste the IP in Black List (Rejected IP List) field and click Quick Add.

[alert style=danger]Be careful not to add your own IP to the Black List. This will lock you out in cPanel/WHM.[/alert]

Purge Login/Brute History Report database

All records of failed login attempts are stored in a database. This database may need to be cleared from time to time to conserve system resources and/or to allow a user who has forgotten a password back into your server. You can clear the database by Flush DB – this will empty the report.

Was this article helpful?
Spread the word!