What To Do When You Receive “Large Number of Failed Login Attempts” Message

If you received an email notification from your cPanel server:

—- —- —- —-

Subject: Large Number of Failed Login Attempts from IP 123.123.123.123

—- —- —- —-

5 failed login attempts to account root (system) — Large number of attempts from this IP: 123.123.123.123

Reverse DNS: host.server.tld

Origin Country: <Country> (<2-letter country code>)

Please use the following links to add to the black list:

Single Ip: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=123.123.123.123
/24: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=123.123.123.123/24
/16: https://hostname.yourserver.tld:2087/cgi/bl.cgi?ip=123.123.123.123/16

Please use the following links to add to the white list:

Single Ip: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=123.123.123.123
/24: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=123.123.123.123/24
/16: https://hostname.yourserver.tld:2087/cgi/wl.cgi?ip=123.123.123.123/16

—- —- —- —-

Read further to understand the necessary further action(s).

What This Message Means

The cPanel has a built-in security service built to safeguard against brute force login breaches called cPHulk Brute Force Protection.

Bruteforce refers to an attack method that involves automated attempts to guess the password. If someone enters incorrect passwords several times, cPHulk blocks the IP address (for some time) and sends a message to the server’s root contact.

What Should Be Done

Add your own IP to the White List

Doing this prevents cPHulk from blocking your IP if you entered the wrong password several times.

• Log into WHM.

• Proceed to Security Center> cPHulk Brute Force Protection.

• Click White/Black List Management.

• Enter your IP in the White List (Trusted IP List)
• Click Quick Add.

Add offending IP(s) to the Black List

In case of unauthorized entry on your server via brute force, you will see this in Login/Brute History Report tab.

If you see the same IP with numerous failed logins, consider blocking through White/Black List Management.

• Go to White/Black List Management

• Paste IP in Black List (Rejected IP List)
• Click Quick Add.

[su_note note_color=”#ffa6b1″]Do not add your own IP to the Black List or you will be locked out from cPanel/WHM.[/su_note]

Purge Login/Brute History Report database

Records of failed login attempts are stored in a database which should be cleared once in a while to conserve system resources, as well as allow a user who forgot a password back into your server. You can clear the database through Flush DB to empty the report.