{"id":16202,"date":"2022-11-21T06:19:13","date_gmt":"2022-11-21T06:19:13","guid":{"rendered":"https:\/\/theemailshop.co.uk\/?p=16202"},"modified":"2022-11-17T06:20:45","modified_gmt":"2022-11-17T06:20:45","slug":"how-to-secure-vps-from-brute-force-attacks","status":"publish","type":"post","link":"https:\/\/theemailshop.co.uk\/how-to-secure-vps-from-brute-force-attacks\/","title":{"rendered":"How to Secure VPS From Brute Force Attacks"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">An automated effort to guess your passwords or passphrases, or to locate hidden pages or material. This kind of assault may occur on a dedicated or virtual private server. The fact that it takes a long time to steal long or complicated passwords is one reason why security experts always recommend using them.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Installing the cPanel add-on called cPHulk, which is meant to stop brute-force attacks, is the best way to keep malicious users from taking advantage of your <a href=\"https:\/\/theemailshop.co.uk\/best-linux-server\/\" target=\"_blank\" rel=\"noopener\"><strong>Linux server<\/strong><\/a>.<\/span><\/p>\n<h2><b>Overview<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">cPHulk is a service that defends your server against brute force assaults. This interface gives you the ability to modify it so that it meets your needs. In a brute force attack, an automated system is used to try to guess your web server&#8217;s or services&#8217; passwords.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">cPhulk is capable of monitoring all of the web servers and services listed below:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPanel services (Port 2083).\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The services of the WHM (Port 2087).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Postal delivery services (Dovecot and Exim).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Access to the Secure Shell (SSH) protocol and the Pure-FTPd service<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">When cPHulk prohibits an IP\u00a0 account, or address it does not expose itself as the entity that first took the step to prohibit access to the resource in question. On the other hand, the page that users are prompted to log in on displays the following warning message: The information that you entered for the login is incorrect.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The usage of public key authentication by the server is unaffected by the use of cPHulk in any capacity. In the event that cPHulk locks one user or all users out of the site, you will be able to login to your server by using public keys and API tokens. This is the case even if cPHulk locks out an individual account.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPHulk does not count as distinct failures repeated login attempts that occur within the same six-hour period and utilise the same IP address, username, and password. These attempts must take place within the same hour.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Read our guide on cPHulk Management on the Command Line if you want to learn how to manage cPHulk using the command line.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The cPanel Support IP addresses are added to the whitelist of cPHulk whenever a new support ticket is created using the Create Support Ticket interface (located in WHM &gt;&gt; Home &gt;&gt; Support &gt;&gt; Create Support Ticket).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Turn on cPHulk On the server<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPHulk may be turned on by setting the toggle to the On position.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A conflict will occur between the UseDNS option and cPHulk&#8217;s whitelist in the event that an attacker forges a DNS pointer record in order to impersonate a trustworthy hostname. This enables the attacker to carry out an attack using brute force against the server, with an infinite number of tries to log in. When you activate cPHulk, the system responds by turning off the UseDNS option because of this.Configure cPHulk<\/span><\/li>\n<\/ul>\n<h2><b>\u00a0<\/b><b>Configuration settings<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">You have the ability to set the following parameters for the Configuration Settings:\u00a0<\/span><\/p>\n<h3><b>Protection depending on the user&#8217;s username.<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3>\n<ol>\n<li><span style=\"font-weight: 400;\">Select the Username-based Protection Settings option. This option determines whether or not the username-based protection settings are enabled. To activate the setting for Username-based Protection, configure the toggle so that it is in the On position. Protection for user accounts that is based on the username logs each attempt to log in. If you deactivate cPHulk, any account locks that were previously set will not be removed. By default, this parameter is turned on.\u00a0<\/span><\/li>\n<\/ol>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\">\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>Take note:<\/b><\/h3>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">In order for this setting to take effect, you must first click the Save button.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">When a username-based brute force assault is detected, the server will not send out any messages.\u00a0<\/span><\/li>\n<\/ul>\n<ol start=\"2\">\n<li><span style=\"font-weight: 400;\">Brute Force Protection Period (in minutes) is the amount of time cPHulk uses to track each login attempt to a specific user&#8217;s account. This value is always set to 5 by default.<\/span><\/li>\n<\/ol>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPHulk will consider this to be an instance of brute force login attempt if more than one attacker is attempting to get in at the same time and they hit the account&#8217;s Maximum Failures by Account value within this time period.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPHulk prevents logins to that account from any IP address, whether the attackers use a single or multiple IP addresses.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">For this setting, provide a number that falls between 1 and 1,440.\u00a0<\/span><\/li>\n<\/ul>\n<ol start=\"3\">\n<li>\n<h3><span style=\"font-weight: 400;\"> \u00a0 \u00a0 <\/span><b>Maximum Failures per Account<\/b><\/h3>\n<\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">During the Brute Force Protection Period, the maximum number of failures that are permitted per account by cPHulk (in minutes). This number is set to 15 by default when it is first established.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">If a user account has been the object of a brute force attack that has reached this number of attempts, the system will freeze the account. This will occur regardless of the IP addresses of the individuals who attempted to access the account.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPhulk will lock you out of the account for one minute for each unsuccessful login attempt that you let it have while you have this option enabled. If you choose 15 for the value of the Maximum Failures per Account option,for instance, cPHulk will freeze the account for 15 minutes after the user makes 15 unsuccessful attempts to log in.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">If you change this value to 0, cPHulk will prevent all successful login attempts (this includes the root account). You will need to whitelist your IP address in order to get around this lockout.\u00a0<\/span><\/li>\n<\/ul>\n<h3><b>4. Take the necessary precautions<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Choose one of the following options from the drop-down menu to change how cPHulk protects your files:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Limit protection to only be applied to local addresses; in the case of username-based protection, this means that it will only be activated in response to requests from the local system. Because of this, it is impossible for a user to attempt to brute-force the passwords of other users on the same server. This is the option that is used by default.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Extend the protection so that it encompasses both local and distant addresses. Permit the protection based on the username to be applied to any and all requests, irrespective of their point of origin.<\/span><\/li>\n<\/ul>\n<h3><b>5. Allow username protection to lock the &#8220;root&#8221; user<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Determines whether or not to apply rules based on a username to the root user in order to provide protection. When the dialogue box is first launched, the checkbox&#8217;s default setting is clear.<\/span><\/p>\n<h3><b>6. IP Address-based Protection<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Select whether or not to enable the IP-based protection settings. To activate the IP Address-based Protection setting, configure the toggle so that it is in the On position. A security system that is based on IP addresses monitors login attempts coming from certain IP addresses. Any account locks that were previously in place will not be removed when you deactivate cPHulk. By default, this parameter is turned on.<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<\/ul>\n<p><b>Note:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">you will need to choose the Save option before putting any of your adjustments into effect.<\/span><\/p>\n<h3><b>7. Relying on IP Addresses<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The amount of time, in minutes, that cPHulk spends monitoring all login attempts made from an attacker&#8217;s IP address during the Brute Force Protection Period. The following are examples of what cPHulk considers to be brute force attacks:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Attackers originating from a certain IP address make many failed attempts to log in using a variety of usernames and passwords.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">They have reached the maximum number of failures allowed per IP address.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u00a0<\/span><b>Note:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">cPHulk takes a reading of the attacker&#8217;s Internet Protocol address for the amount of time that you specify, in minutes.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">It is not possible to measure all IP addresses using cPHulk.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>8. Maximum Failures per IP Address<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The maximum number of times an aspiring attacker using a certain IP address is allowed to try and log in unsuccessfully before having that IP address blacklisted by cPHulk. If you set this value to 0, cPHulk will block any and all attempts made to login (this includes the root account). In order to avoid being locked out of this account, you will need to add your IP address to a whitelist. This number always defaults to 5, regardless of what you do.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>9. Command to Be Carried Out in the Event That Brute Force Protection Is Triggered by an IP Address<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">When Brute Force Protection Is Engaged Because of an IP Address The full path to a command that you want the system to run whenever a threshold for the protection against brute force attacks against an IP address has been met. If you read the part that is below this one titled &#8220;Command variables,&#8221; you will see a list of variables that you may use in this command.<\/span><\/p>\n<h3><b>10. Whether or not you want the firewall to automatically add IP addresses that trigger brute force protection<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">You have the option to specify whether or not IP addresses should be blocked at the firewall level if they activate brute force protection.<\/span><\/p>\n<p><b>Note:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Selecting this option will build a new iptables rule; however, you must be using an iptables version that is 1.4 or above in order to block IP addresses at the level that is based on IP addresses.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Virtuozzo does not provide this particular configuration option.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>One-day blocks<\/b><\/h3>\n<ul>\n<li><span style=\"font-weight: 400;\">\u00a0<\/span><span style=\"font-weight: 400;\">The maximum number of attempts that may be made on a single IP address before that address is blocked for one day This parameter defines the maximum number of times an attempt login from the a specific IP address may fail before cPHulk bans this IP handle for a period of one day. cPHulk bans IP addresses for a period of one day. This option always defaults to 30, regardless of what you choose.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Command to Carry Out in the Event That an IP Address Results in a Block for 24 Hours \u2014 The full path to the function that you want the system to run whenever it blocks an IP address for a period of twenty-four hours or more. If you read the part that is below this one titled &#8220;Command variables,&#8221; you will see a list of variables that you may use in this command.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">If an IP address results in a temporary block of one day, the firewall should immediately add it to the block list. This option allows the user to choose whether or not IP addresses that result in a one-day block are added back to the block list maintained by the firewall. It is important to have iptables version 1.4 or a later version in order to use this option since it generates a new rule for iptables. This checkbox already has its default setting of &#8220;selected.&#8221;<\/span><\/li>\n<\/ul>\n<p><b>Note:<\/b><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Selecting this option will build a new iptables rule; however, you must be using an iptables version that is 1.4 or above in order to block IP addresses at the level that is based on IP addresses.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Virtuozzo does not provide this particular configuration option.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>Histories of Logins.<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">This parameter defines for how long the system shows unsuccessful login records on the History Reports page. The unit of measure is minutes. In addition to this, it establishes the maximum amount of time in minutes that an adversary has to change each of the following parameters in the system:<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">The Greatest Number of Failed Accounts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">Maximum Failures per IP Address<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-checked=\"false\" aria-level=\"1\"><span style=\"font-weight: 400;\">The maximum number of unsuccessful login attempts allowed per IP address before that address is blocked for one day<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">\u00a0<\/span><b>Notifications<\/b><\/h3>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Send a notice upon effective root login when the Ip is not on the checkbox, Appears to indicate whether or not you want to be made aware if the root user successfully wants to sign in from an Ip that does not already exist in the whitelist.<\/span><b>\u00a0<\/b><\/li>\n<\/ul>\n<p><b>Note:<\/b><\/p>\n<p><span style=\"font-weight: 400;\">A particular combination of login, service, and IP address will only get one notice from the system throughout any given period of twenty-four hours.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u00a0Send a notification upon fruitful root login when the IP address is not on the whitelist but from a known netblock \u2014 Whether or not you want to receive an alert when the root user has successfully logs in from an IP address that does not exist in the whitelist but does exist in a known netblock.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">\u00a0Upon a successful root login, if the IP address is not on the whitelist but originates from a recognised netblock, send a message to the system administrator. When the dialogue box is first launched, this checkbox will have no selection in it.<\/span><\/li>\n<\/ul>\n<h2><b>Notify me when the system detects a brute force user<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">This option allows you to choose whether or not you would want to be notified whenever cPHulk identifies an attempted brute force assault. This checkbox is deselected by default when it&#8217;s opened.<\/span><\/p>\n<p>For Discount and Offers, Visit our Official\u00a0<strong><a href=\"https:\/\/twitter.com\/TheEmailShopUK\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>\u00a0<\/strong>Page<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An automated effort to guess your passwords or passphrases, or to locate hidden pages or material. This kind of assault may occur on a dedicated or virtual private server. The fact that it takes a long time to steal long or complicated passwords is one reason why security experts always recommend using them. Installing the [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":16243,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1280,659],"tags":[],"class_list":["post-16202","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-vps-hosting"],"_links":{"self":[{"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/posts\/16202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/comments?post=16202"}],"version-history":[{"count":6,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/posts\/16202\/revisions"}],"predecessor-version":[{"id":16348,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/posts\/16202\/revisions\/16348"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/media\/16243"}],"wp:attachment":[{"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/media?parent=16202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/categories?post=16202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/theemailshop.co.uk\/wp-json\/wp\/v2\/tags?post=16202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}