Knowledgebase: WHM
HOW TO: Recognize Brute-Force Attacks in Server Logs
Posted by on 02 November 2018 01:08 PM

Brute-Force Attacks occur when an attacker attempts to calculate every possible combination that could make up a password and test against your site to see if it is a correct password. This can be done either by using dictionary words or trying to guess the key created by key derivation functions to encrypt passwords into a secret value.

Attackers use a computer program or script, which automatically attempts all possible combinations to gain access. As computer hardware becomes faster and capable of doing more calculations per second, brute force attacks have become more popular as a means to obtain sensitive information stored in databases and other web applications.

Recognizing Brute-Force Attacks

Brute-force attacks are detectable by their volume, rather than the type. You'll notice a large amount of failed login attempts in your web logs. You may also see the same account logging in over and over with different passwords and from multiple IP addresses.

Here is a list of logs to check:

Service Logs:

  • /var/log/maillog or /var/log/mail.log - Email service logs
  • /var/log/exim_mainlog - Exim logs
  • /var/log/messages - FTP logs
  • /var/log/auth.log or /var/log/secure - Contains user authorization information

cPanel/WHM Logs:

  • /usr/local/cpanel/logs
  • /var/log/lfd.log

You can check these logs either by command line or within WHM under the ConfigServer Security & Firewall (CSF) home page. You can search (grep) system logs or watch (tail) system logs from there.

Defending Against Brute-Force Attacks

ConfigServer Security & Firewall with Login Failure Daemon

Most of our managed cPanel servers have ConfigServer Security & Firewall (CSF) enabled with iptables and Login Failure Daemon (LFD), a service built into CSF. LFD periodically checks for potential threats to a server. It looks for brute-force login attempts and if found, will block the IP address attempting to attack your server. 


You can also enable cPHulk as another method of Brute-Force Detection. cPHulk is a security feature on cPanel servers that locks down the cPanel and WHM logins, SSH logins, FTP logins and IMAP/POP3 logins. It will block IP's after too many failed logins from a single IP address. 

Security Best Practices

In addition to checking your logs and using LFD, there are additional security best practices you can implement to secure your server. Here is a list of these best practices which are linked to articles to help you secure your server:

  • Create a secure password.
  • Require strong passwords.
  • Set up alternate SSH users.
  • Use SSH keys.
  • Use reCaptcha for user registrations to help keep brute-force bots from being able to enter your site with fictional credentials.


If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on or emailing out support team at

(2 vote(s))
Not helpful

Comments (0)
Copyright © 1998 - 2021 Shinjiru International Inc. All Rights Reserved.
ERROR: This domain name (, does not match the domain name in the license key file

For assistance with your license, please contact the Kayako support team: