Hi all,

Was looking at my LogWatch today and noticed I had a lot of action with someone trying to gain access to my cpanel server. I was wondering if there was a way I could block some ip's on the server. Any info would be great. List was really long so cut it off as not to fill up the page here

Thanks
James


sshd:
Invalid Users:
Unknown Account: 962 Time(s)
Authentication Failures:
root (159.226.49.130 ): 143 Time(s)
nobody (159.226.49.130 ): 13 Time(s)
unknown (159.226.49.130 ): 962 Time(s)
...

Failed logins from these:
Academics/password from 159.226.49.130: 1 Time(s)
DRD/password from 159.226.49.130: 1 Time(s)
JWW/password from 159.226.49.130: 1 Time(s)
KPM2003/password from 159.226.49.130: 1 Time(s)
Linux/password from 159.226.49.130: 1 Time(s)
RFTEST/password from 159.226.49.130: 1 Time(s)
RMG/password from 159.226.49.130: 1 Time(s)
...

Install APF and BFD from rfxnetworks

Great I will go look there for the information rfxnetworks.com

Thanks for the help

James

Look also at eth0.us. There are some very good tutorials there.

I had the same problem last month, 50,000 attempts in two days! APF/BFD took care of the problem. Highly recommended!

Hack Report Script: I just posted the script I use to monitor my log files here...
http://forum.ev1servers.net/showpost.php?p=344647

It's designed for EV1's cPanel/Exim/RHe3 combo, but should be easy to mod for other Linux versions. It includes a look at the BFD log as well.

A sample report is posted here:
http://forum.ev1servers.net/showpost.php?p=344673

Very handy way to see what's going on anytime!

Have fun,

Paul