CPHulk - what am I missing

[douglatz]

hmmm ... I'm not understanding something. If I have my CPHulk settings set as thus:

IP Based Brute Force Protection Period in minutes: 90
Brute Force Protection Period in minutes: 90
Maximum Failures By Account: 3
Maximum Failures Per IP: 3
Maximum Failures Per IP before IP is blocked for two week period: 9
Extend account lockout time upon additional authentication failures: checked
Send notification when brute force user is detected: checked

Why am I seeing entries in my logins like:

root h-66-166-56-233. system 0 2008-01-08 04:43:14
root h-66-166-56-233. system 0 2008-01-08 04:43:40
root h-66-166-56-233. system 0 2008-01-08 04:45:10
root h-66-166-56-233. system 0 2008-01-08 04:44:04
root h-66-166-56-233. system 0 2008-01-08 04:44:45
admin h-66-166-56-233. system 0 2008-01-08 04:45:27
admin h-66-166-56-233. system 0 2008-01-08 04:45:35
root h-66-166-56-233. system 0 2008-01-08 04:43:31
admin h-66-166-56-233. system 0 2008-01-08 04:45:52
root h-66-166-56-233. system 0 2008-01-08 04:44:29
root h-66-166-56-233. system 0 2008-01-08 04:44:12
root h-66-166-56-233. system 0 2008-01-08 04:45:02
root h-66-166-56-233. system 0 2008-01-08 04:43:48
root h-66-166-56-233. system 0 2008-01-08 04:44:54
admin h-66-166-56-233. system 0 2008-01-08 04:45:44
root h-66-166-56-233. system 0 2008-01-08 04:43:56
admin h-66-166-56-233. system 0 2008-01-08 04:45:19
root h-66-166-56-233. system 0 2008-01-08 04:43:23
admin h-66-166-56-233. system 0 2008-01-08 04:46:00
root h-66-166-56-233. system 0 2008-01-08 04:44:21
root h-66-166-56-233. system 0 2008-01-08 04:44:37
admin h-66-166-56-233. system 0 2008-01-08 04:46:11

22 attempts in 3 minutes - all from the same IP address. This IP should now be on a two week lock-down, right?

[douglatz]

Anyone have any ideas?

[nyjimbo]

We have a similiar problem on our freebsd boxes (not sure if its o/s related). We often see alot of bot related ftp attacks. Dictionary attacks of all our ip ranges every few days, its not overwhelming to the machines or network but they come up on the console from pure-ftp and I get the same emails from cphulk about Massive amount of failures from IP and the email will show the login names they used but nothing gets done about it, we can see it go for hours sometimes and dozens or more of the emails get sent to me about this from cpanel/cphulk.

My feeling is something is broken in Cphulk and it might think its doing the blocking but its not. I have to manually go to the machines and block them with ipfw or kill and restart pureftp as the bots will give up if its down for a few seconds.

[louish]

I have this same problem on 6 servers all running WHM and Cpanel. Even when I add the IP Address to the hosts.deny and then also deny them from the hosts.allow, I still get repeated login attempts every 5 minutes.

[pbhosting]

Quote:

Originally Posted by louish

I have this same problem on 6 servers all running WHM and Cpanel. Even when I add the IP Address to the hosts.deny and then also deny them from the hosts.allow, I still get repeated login attempts every 5 minutes.

i have this same problem, however, its LOCKING OUT the Root account to where i cant get in.. because of the amount of attacks i have been getting, i have found that its easiest to block any IP range that is not USA based.

I have had several attacks the past few days from china and latin america. I blocked the entire IP address range, and the attacks have slowed, however now im getting them from elsewhere.

any idea on how to configure cpanel to block the IP and not lock the root account?

[the Eych]

I actually had to dig deep in the cpHulk's Perl code to understand this myself. You are missing what these two settings actually mean:

Quote:

IP Based Brute Force Protection Period in minutes: 90
Brute Force Protection Period in minutes: 90

The first setting is used to find previous attempts, in your case it will look back for 90 minutes in the attempts table and will calculate how many failed attempts the same IP had in this 90 minutes period.

If that's a new IP that was not blocked already it will have a maximum of "Maximum Failures Per IP" attempts and will be blocked for "Brute Force Protection Period in minutes" minutes. In your case for 90 minutes.

After 90 minutes will pass and the same IP will be trying again, the logic will look again back for 90 minutes and since during this period IP was blocked it won't find any attempts and effectively start counting the new attempts from scratch.

It's a weird logic in cPhulk itself, but you can easily fix this if you will set "IP Based Brute Force Protection Period in minutes" (for how many minutes to look back in the attempts table to find failed attempts from the same IP) several times higher then "Brute Force Protection Period in minutes". The period in the first setting should cover the period in the second setting (the time when the IP had no attempts logged because it was blocked) and then add some more to actually find attempts before that.

In your case I'd suggest something like:

IP Based Brute Force Protection Period in minutes: 90
Brute Force Protection Period in minutes: 30

If this won't work as expected just try to make the difference between the two settings even bigger.

[keddie]

I experimented with CPHulk about a year ago and didn't have a great experience. I now use the config server Login Failure Daemon (LFD) in conjunction with the CSF firewall. It's a free script and it's superb!

http://www.configserver.com/cp/csf.html