CPHulk - Appears not to work!

**santrix** · 02-22-2009 03:04 AM

OK, I have CPHulk enabled, with only myself in the trusted hosts list (already managed to lock myself out once, so I know it's working)...

Now, I wake up this morning to find a pile of this in my /var/log/messages

Feb 22 08:46:44 vps pure-ftpd: (?@58.246.161.120) [ERROR] Too many authentication failures
Feb 22 08:46:44 vps pure-ftpd: (?@58.246.161.120) [INFO] New connection from 58.246.161.120
Feb 22 08:46:45 vps pure-ftpd: (?@58.246.161.120) [WARNING] Authentication failed for user [tsinternetuser]
Feb 22 08:47:24 vps last message repeated 4 times
[repeat above about a thousand times at least]

Now, why isn't CPHulk locking this dude out? the CPHulk screen in WHM shows no lockouts, no errors, nada... zip... nothing - it all looks fine and dandy. What gives?

I'm running the latest release R33609

Steve

**JPC-Shaun** · 02-22-2009 05:59 AM

Hi;

Make sure that the CpHulk is enabled and properly configured.

Enabling cPHulk is pretty easy. Simply log into your WHM control panel as root. From the main menu on the left, click on Security Center from the Security section.

Click on the cPHulk Brute Force Detection link at the top of the page. Now you may want to configure cPHulk before you enable it. The configuration parameters are pretty much self-explanatory so I won’t go into details about this. Basically you set the number of failed attempts before an IP or an account is blocked and you set how long you want it to be blocked. Make sure you have configured the options properly here.

When you’re done, simply click on the Enable button at the top.

**santrix** · 02-22-2009 08:50 AM

Thanks Shaun, but CPHulk is definitely enabled (as far as the WHM control panel pages are concerned)... It's also managed to lock me out in the past, so I am confident the service is running.

IP Based Brute Force Protection Period in minutes:15
Brute Force Protection Period in minutes:10
Maximum Failures By Account:15
Maximum Failures Per IP:5
Maximum Failures Per IP:30
Extend account lockout time upon additional authentication failures:no
Send notification when brute force user is detected:yes

I'm concerned that the log was so full of these messages, despite CPHulk was running, and that CPHulk has not recorded any failed login attempts.

Has CPHulk ignores the logins because they were aimed at user "tsinternetuser", which obviously doesn't exist on a linux box?

**cpanelnick** · 02-22-2009 11:35 AM

Please open a ticket @ https://tickets.cpanel.net/submit/

LinkBack

Thread Tools

CPHulk - Appears not to work!

DNS Zones does not appears in all clusters

cPHulk Doesn't work?

Â icon appears in Cpanel

cppop appears slow

Connecting via FTP appears slow