Is there any way to automatically ban an IP address after they've made some number of bad password attempts, similar to the banning after N invalid commands? I am running WHM/cPanel and there are daily about 1k+ invalid login attempts from a specific ip address. I've now had two cases in the last 3 weeks where some script kiddie is trying to get onto my server by testing several thousand password variations for variopus accounts by trying various passes and usernames. The ability to ban an IP address on invalid passwords would have prevented this after the first few bad attempts. Is this possible t configure by WHM or by any method possible? Please help. These attempts slow down my server's cpanel/whm...
Don't think it is possible to auto-ban.. you can contact your host with the IP and ask them to ban it. If it is from a similar IP range, ban the whole subnet.
Of course it is possible to autoban! Use this Firewall: [sorry, the forum rules do not permit me to tell you] and this for the brute force attacks: [sorry, the forum rules do not permit me to tell you] google apf bfd Works like a charm.
there is also a python script called "DenyHosts" that will check SSH logs, and deny hosts who fail so many times. It's completely configurable, it adds the IPs to hosts.deny. It's pretty cool really, easier than setting up a firewall, probably.
Yes...auto-banning is a great solution. You could use a php script or any of the options listed above. Also, if it is just 1 IP, you can manually ban it for now through cpanel's IP Deny Manager. I'd ban then right away and work on your auto-banning solution. My sites auto-ban potential hackers all the time. I agree with clixxer...install APF asap.
ConfigServer Security & Firewal (csf) with Login Failure Daemon (lfd) will allow you to block users after X amount of failed login attempts as well. http://www.configserver.com/cp/csf.html
My site has a function that analise which IP adress should be blocked. When someone tries to login to my site by using wrong account for some time it records its IP adress to the special table of a database. There is special program for add new firewall rules. It is launched hourly and read the table that is created by the above function. The program walk throught all entries from this table and insert iptables rules for each IP address. iptables -A INPUT -p tcp --syn -s xx.xx.xx.xx --dport 80 -j REJECT --reject-with icmp-host-unreachable Code (markup): Actually this solution is pretty easy but it works fine for me.
Install APF and BFD. No additional configuration needed, BFD integrates with APF and will ban every IP after 3 failed login attempts.
csf with lsf is _THE_ solution for cpanel.. specially with their web based interface.. its basicly everything APF and BFD did but better..