One of the benefits of using cPanel/WHM as you control panel is the cPHulk brute force protection, which disable access to PAM services. (PAM = Pluggable Authentication Modules) cPHulk protects: cPanel, WHM, SSH, FTP, IMAP, and POP3 from brute force authentication attacks.
A longer explanation can be found here:
What does cPHulk do? cPanel's anti-hacking, brute force protection (cPHulk vs CSF)
Install and Setup cPHulk
In order to install / setup cPHulk, you'll need to:
Step 1: Login to WHM.
Step 2: Go to the Security Center menu on the left side of the WHM screen, and select
cPHulk Brute Force Protection.
| You must be logged in to view this content; either login or register for the forum. The attached screen shots, before/after images, photos and graphics are created/posted for the benefit of site members. And you are invited to join our digital media community. |
Then enable cPHulk in cPanel. Doing so will also disable UseDNS (and requires a restart of the SSH service -- you'll be prompted on-screen with instructions), which is probably unnecessary anyway for most users.
Configure cPHulk
Step 2: Configure the number of failed logins it takes to lock out the IP address, including length of the lockout. By default, cPHulk is set to allow 15 fails (too high!), 15-minute "fail windows" (too low!), and 20 fails before being locked out for two weeks (too low!). It's also not set to send you email warnings of brute force attempts, which is not really good for watchful security-minded admins. Unless you're a complete airhead, 5 login attempts should be plenty; 10 if you're worried.
| You must be logged in to view this content; either login or register for the forum. The attached screen shots, before/after images, photos and graphics are created/posted for the benefit of site members. And you are invited to join our digital media community. |
Populate the whitelist and blacklist with known-good and known-undesired IP addresses:
Step 1: Go to the cPHulk Brute Force Protection page in WHM, and click on the
White/Black List Management.
| You must be logged in to view this content; either login or register for the forum. The attached screen shots, before/after images, photos and graphics are created/posted for the benefit of site members. And you are invited to join our digital media community. |
Add your current IP address or IP range to the Whitelist. Do this for any place that you're likely to access the server regularly, including your home, office, and secondary locations (favorite online cafe, home/office of friend or family member, you school/college, etc).
Step 3: Consider blocking places that you know you'll never try to login from. For example, if you're not planning to visit Estonia, Iran, China or Russia anytime soon, it's probably safe to block those IP ranges.
Remember that this will lock out any login access to cPanel, WHM, SSH, FTP, IMAP, and POP3. So this is best used on personal/company non-public (i.e, not a hosting company) type of server. This particular server is a dev server used only by myself.
The alternative to a large blacklist is to simply let cPHulk block problem IPs one at a time, as they fail the predefined number of login fails. But again, if you're not planning to live in China anytime soon, there's no reason to allow a 123.0.0.0/8 range address fail over and over again. Just blacklist the entire IP block and get it over with.
This is a starter list from one of my cPanel servers -- a server used for development, meaning I'm the sole user. It's moderately aggressive, completely based on past failed attacks. Be sure your IP block is not there, should you decide to use this one. (If you lock yourself out, you'll have to ask from assistance from your host, or access the server/VPS from a non-banned IP range.)
Code:
109.0.0.0/8
110.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
116.0.0.0/8
117.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
128.0.0.0/8
14.0.0.0/8
174.0.0.0/8
175.0.0.0/8
176.0.0.0/8
180.0.0.0/8
183.0.0.0/8
184.164.0.0/16
187.0.0.0/8
188.0.0.0/8
189.0.0.0/8
190.0.0.0/8
194.0.0.0/8
195.0.0.0/8
199.0.0.0/8
200.0.0.0/8
202.0.0.0/8
203.0.0.0/8
207.150.0.0/16
208.0.0.0/8
209.0.0.0/8
210.0.0.0/8
211.0.0.0/8
212.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
223.0.0.0/8
31.0.0.0/8
41.0.0.0/8
46.0.0.0/8
50.0.0.0/8
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
64.0.0.0/8
69.0.0.0/8
70.43.230.0/24
74.63.0.0/16
77.104.0.0/16
77.243.0.0/16
77.254.0.0/16
77.58.0.0/16
78.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
93.0.0.0/8
96.0.0.0/8
If this has helped you, be sure to click thanks.
__________________
Also remember this: Following guides online DOES NOT replace having a skilled server administrator. The Digital FAQ offers server administration services, starting from $25 per month (bargain priced). If you use your VPS or dedicated server for serious endeavors, consider outsourcing your security to competent and experienced admins. Then you'll be able to focus on running the sites (creating content, etc), not running the server. And while your host may have management services, most are reactive and no proactive -- meaning you'll have to request tasks be done, which is hard task for a non-admin that doesn't know what to ask for.
... just a word of warning for the DIY hosting customers out there.
__________________
Need a good host?
Find one here --------->
List of the Best Web Hosts in 2012 - Shared, reseller and VPS hosting
