Stopping a DDOS or Brute Force Attack

1. Log into the server using Putty.
2. Type   cd  /user/local/cpanel/logs
   1. if that doesn’t get results type  home/<username>/access_logs
3. Type   tail  access_log
   1. This will get you the last 10 IP addresses and what they did.
   2. If you want 20, for example, type tail  -20  access_log
4. Look for multiple access entries from the same IP address, – specifically look for IP addresses trying to get to wp-admin, wp-login.php files or email/SMTP logins.
5. Go to Network Tools.
6. Choose Network Lookup, enter the IP address, and click Go.
7. Verify it is not an IP address that should be trying to access our system (i.e.) Spectrum, PrimeLink, or other local provider).
8. Go to WHM (see alternate directions if you cannot get there).
   1. Go to cPHulk Brute Force Proctection.
   2. Click on Blacklist Management.
   3. Enter the IP address.
   4. Enter a comment, if desired – such as a date or why it was blacklisted.
   5. Click Add.
9. Repeat for other IP addresses.
10. Continue to monitor the access log.

If you cannot get to WHM

1. Replace step 8 above with:
   1. Type  /scripts/cphulkdblacklist  000.000.000.000, where the 000.000.000.000 represents the IP address you want to block.