cPHulk whitelist syntax, list of services affected, clearing

[pthirose]

What is the syntax for whitelisting? Can it be a a network address as in 1.2.3.0/24? Or is it only singular IP addresses? Apparently, I can also enter a hostname. If a hostname has multiple IP addresses, how does that work? I'm guessing cPHulk either does a forward lookup on the hostname and then sees if the IP address of the source of the incoming connection matches, and/or does a reverse lookup on the IP address to see if it matches a name in the whitelist?

Separately, what login methods are blocked by cPHulk? Is it just the web login via port 2087 and 2083? Does it affect FTP, SSH, telnet, etc methods of logging in to the box?

Finally, the docs clearly show a URL I can call to clear out (presumably all) the blocked IPs (.../scripts2/doautofixer?autofix=disable_cphulkd). Does this imply that anyone who actually knows to use this URL, could clear the blocked IP list w/out authenticating anyway?

Thank you,
PH

[cPanelDon]

What is the syntax for whitelisting? Can it be a a network address as in 1.2.3.0/24? Or is it only singular IP addresses? Apparently, I can also enter a hostname. If a hostname has multiple IP addresses, how does that work? I'm guessing cPHulk either does a forward lookup on the hostname and then sees if the IP address of the source of the incoming connection matches, and/or does a reverse lookup on the IP address to see if it matches a name in the whitelist?

Are you referring to the cPHulk whitelist "Trusted IPs"? Given the information provided by the documentation versus the newer wording used in WHM I have submitted an internal inquiry to obtain further clarification on your behalf. I will update this thread with any new information received. For reference, the tracking number assigned to this inquiry is case 39598.

Separately, what login methods are blocked by cPHulk? Is it just the web login via port 2087 and 2083? Does it affect FTP, SSH, telnet, etc methods of logging in to the box?

To the best of my knowledge cPHulk will apply to system users, virtual FTP user accounts, and e-mail accounts, including login attempts via cPanel, WHM, Webmail, Web Disk, IMAP and POP (via Dovecot or Courier), SMTP (via Exim), FTP (via Pure-FTPd or ProFTPd), and SSH/SFTP (via sshd).

Finally, the docs clearly show a URL I can call to clear out (presumably all) the blocked IPs (.../scripts2/doautofixer?autofix=disable_cphulkd). Does this imply that anyone who actually knows to use this URL, could clear the blocked IP list w/out authenticating anyway?

Thank you,
PH

Authentication is required before using WHM; this also includes API requests as well as direct requests to specific auto-fixer or auto-repair scripts.

[pthirose]

Are you referring to the cPHulk whitelist "Trusted IPs"? Given the information provided by the documentation versus the newer wording used in WHM I have submitted an internal inquiry to obtain further clarification on your behalf. I will update this thread with any new information received.

I'm sorry, yes. The Trusted IP list.

Authentication is required before using WHM; this also includes API requests as well as direct requests to specific auto-fixer or auto-repair scripts.

Ah. But if the root user (or whatever user(s) allowed to run the script) are blocked from logging in because of cPHulk, then this script still can't be run. And if I could login, then I don't specifically need that particular auto-fixer script, since wouldn't Main >> Security Center >> cPHulk Brute Force Protection >> Flush DB essentially do the same thing? Or does the auto-fixer script do something different?

The auto-fixer script was given as a URL, and I haven't found its equivalent for the command line, if the user were able to login via ssh. But since cPHulk also blocks ssh logins, I'm not sure. I suppose any user still ssh-able would be able to directly tap into the MySQL database for cPHulk and/or run the script from the shell. Although I'm guessing one must be root to run the script from the shell.


Thank you,
PH

[density5]

What is the syntax for whitelisting? Can it be a a network address as in 1.2.3.0/24? Or is it only singular IP addresses? Apparently, I can also enter a hostname. If a hostname has multiple IP addresses, how does that work? I'm guessing cPHulk either does a forward lookup on the hostname and then sees if the IP address of the source of the incoming connection matches, and/or does a reverse lookup on the IP address to see if it matches a name in the whitelist?

Is there an update on this? I really need to know as we connect to our dedicated server from a dynamic IP.

[cPanelDon]

Ah. But if the root user (or whatever user(s) allowed to run the script) are blocked from logging in because of cPHulk, then this script still can't be run. And if I could login, then I don't specifically need that particular auto-fixer script, since wouldn't Main >> Security Center >> cPHulk Brute Force Protection >> Flush DB essentially do the same thing? Or does the auto-fixer script do something different?

The auto-fixer script was given as a URL, and I haven't found its equivalent for the command line, if the user were able to login via ssh. But since cPHulk also blocks ssh logins, I'm not sure. I suppose any user still ssh-able would be able to directly tap into the MySQL database for cPHulk and/or run the script from the shell. Although I'm guessing one must be root to run the script from the shell.

Thank you,
PH

In its current form, the auto-fixer, disable_cphulkd, will attempt to remove an entry containing "pam_hulk.so" from the system-auth PAM configuration (at "/etc/pam.d/system-auth").

Here is the command-line (CLI) equivalent to running the auto-fixer in WHM that may be used via root SSH or console access:

Code:

# /scripts/autorepair disable_cphulkd

For clarification, the name of an auto-repair AKA auto-fixer script, such as disable_cphulkd, can be entered via the following URI in WebHost Manager:

Code:

/scripts2/autofixer

If security (session) tokens are enabled, the aforementioned WHM URI must be placed after the session token in the URL, like in the following example:

Code:

https://$host:2087/cpsess0123456789/scripts2/autofixer

If the specific IP address you're accessing from is blocked, you may need to either contact your upstream data center to assist via direct console access, use remote KVM or KVM over IP access, or connect from a different originating IP address that is not blocked.

[cPanelDon]

I'm sorry, yes. The Trusted IP list.

Is there an update on this? I really need to know as we connect to our dedicated server from a dynamic IP.

To explicitly clarify, you may input entries that conform to the following syntax, as exhibited by each example:

• An IP address range in CIDR notation
  Example:
  
  Code:

  10.0.0.0/8

• An IP address
  Example:
  
  Code:

  192.168.1.1

• An IPv6 address
  Example:
  
  Code:

  3ffe:1900:4545:3:200:f8ff:fe21:67cf

The configuration area in WHM for cPHulk Brute Force Protection has been overhauled and now includes example entries, as seen above, showing proper syntax. These enhancements are in an upcoming release, that of cPanel 11.25.1, AKA cPanel 11.28, and are currently available using the cPanel EDGE release tier; in due course the new version will make its way to other release tiers including CURRENT, RELEASE, and then STABLE.

[DeepCover]

To the best of my knowledge cPHulk will apply to system users, virtual FTP user accounts, and e-mail accounts, including login attempts via cPanel, WHM, Webmail, Web Disk, IMAP and POP (via Dovecot or Courier), SMTP (via Exim), FTP (via Pure-FTPd or ProFTPd), and SSH/SFTP (via sshd).

So that I am clear: If I blacklist IP addresses or CIDRs under CPHulk Brute Force Protection > Whitelist/Blacklist, will web visitors still be able to access all the public websites on port 80?

If my understanding is correct, the IPs blacklisted under CPHulk will not be able to log-in anywhere to any services such as CPanel, WHM, mail, FTP, and the like, but they can still visit the websites on the server.

Thanks very much.

[cPanelDon]

So that I am clear: If I blacklist IP addresses or CIDRs under CPHulk Brute Force Protection > Whitelist/Blacklist, will web visitors still be able to access all the public websites on port 80?

If my understanding is correct, the IPs blacklisted under CPHulk will not be able to log-in anywhere to any services such as CPanel, WHM, mail, FTP, and the like, but they can still visit the websites on the server.

Thanks very much.

Yes; I believe that your understanding is correct. cPHulk Brute Force Protection affects whether or not login attempts result in success or failure. With cPHulk enabled, if a login attempt is from an IP address that is blacklisted in cPHulk then the attempted login will not result in successful authentication.

[DeepCover]

Yes; I believe that your understanding is correct. cPHulk Brute Force Protection affects whether or not login attempts result in success or failure. With cPHulk enabled, if a login attempt is from an IP address that is blacklisted in cPHulk then the attempted login will not result in successful authentication.

Don, I very much appreciate your response. I am far from an expert on Linux or WHM.

We are running CPanel/WHM on a company server, and only a few of our employees need log-in privileges. It is a private company server, and we do not sell CPanel accounts to the public.

Our server gets quite a bit of Brute Force hack attempts from China and other countries, but I do not want to block traffic to websites while making the server more secure.

Ideally, I would like to whitelist the few IP address that need log-in access, and then blacklist the rest of the planet, all while not blocking any normal website traffic.

Is there a single IP range, perhaps using wildcards (*), or some other single line of code, that I can place in the CPHulk Blacklist and that would block all other IPs on the planet? (Or, would I need to enter every IP range such as 117.0.0.0/8?)

Again, thanks, Don.

[density5]

Don, I very much appreciate your response. I am far from an expert on Linux or WHM.

We are running CPanel/WHM on a company server, and only a few of our employees need log-in privileges. It is a private company server, and we do not sell CPanel accounts to the public.

Our server gets quite a bit of Brute Force hack attempts from China and other countries, but I do not want to block traffic to websites while making the server more secure.

Ideally, I would like to whitelist the few IP address that need log-in access, and then blacklist the rest of the planet, all while not blocking any normal website traffic.

Is there a single IP range, perhaps using wildcards (*), or some other single line of code, that I can place in the CPHulk Blacklist and that would block all other IPs on the planet? (Or, would I need to enter every IP range such as 117.0.0.0/8?)

Again, thanks, Don.

If it turns out that's what you need to do, the site Country IP Blocks is very helpful for generating tailored ranges in various formats.