cPHulk Not Always Blocking

[rezman]

I've been using Cpanel for a few years now and for the second time in the past month I had a brute force attack that cPHulk didn't seem to block.

The brute attack was on dovecot pop3-login both times. They slam every IP on the server. I have a /25 for SSL web sites. cPHulk sends out the email like normal but doesn't seem to block the IP. In return it keep sending out the warning email causing a flood. The only reason I found these was due to the mail queue on my other mail server receiving the emails jumping to little over over 5000 within a short time. Total emails send according to the mail send summery this morning is 4,995. The only way to stop it was to add it into the firewall.

Now the Cpanel server load wasn't very high so it was handling the failed login attempts with ease but shouldn't the Cpanel server stop sending the warning emails once cPHulk blocks the IP address?

I do still have the following in my Brutes (Excessive Login Failures):

Code:

IP: 190.213.105.62

Notes: 955 failed login attempts to account moon (system) -- Large number of attempts from this IP: 190.213.105.62

Begin:  2012-04-27 02:04:41
Expire: 2012-05-11 02:04:41

Even though it only says 955, I count 222,397 in /var/log/maillog

Code:

# grep "190.213.105.62" maillog | grep "auth failed" | wc -l
222397

[ruzbehraja]

You may want to open a ticket with cpanel.

In addition you may want to consider disabling CPHulk and using CSF, which uses iptables to filter out DoS type attacks.