If you have received the following message from your server:
————————————————————
Subject: Large Number of Failed Login Attempts from IP 12.34.56.78
————————————————————
5 failed login attempts to account root (system) — Large number of attempts from this IP: 12.34.56.78
Origin Country: <Country Name>
Please use the following links to add to the black list..————————————————————–
What does that mean:
WHM/cPanel has a service, protected from Brute Force attack, which is called “cPHulk Brute Force Protection”.
If someone several times enters an incorrect password then cPHulk blocks its IP and sends message to the root contact on the server.
If cPHulk blocks your IP you can add it to white list:
via WHM:
♦ Go to WHM Main, then to Security Center, and select cPHulk Brute Force Protection.
♦ Go to “White/Black List Management” Tab.
♦ Enter the IP in “White List (Trusted IP List)” and press “Quick Add”.
Image may be NSFW.
Clik here to view.
If someone else tried to log into your WHM you should log in to WHM and check the IP:
- Go to WHM Main, then to Security Center, and choose cPHulk Brute Force Protection.
- Go to “Login/Brute History Report” Tab.
Image may be NSFW.
Clik here to view.
Here you can see “User” and “IP” where someone tried to connect. You should block this IP if you don’t know it via “White/Black List Management” Tab then go to “Black List (Rejected IP List)”.
We recommend to set up firewall (ex: csf installation instructions here) and add this IP to “deny list”.
Information on how to set up cPHulk Brute Force Protection (original document) can be found here.
