Adding a custom service to cPhulkd

locador

Member
Nov 8, 2018
5
0
1
São Paulo, Brazil
cPanel Access Level
Root Administrator
Hello,

I've been facing a huge wave of brute force attempts to WordPress logins lately and poking with a more robust solution for blocking it.

I have a custom rule in apache that's able to 401 an IP that has 'x' failed logins attempts. But lately, that's not being enough. I believe with the help of infected machines I'm getting waves after waves of thousands of different IPs and just for apache to process the rules it's costing loads of CPU. So, firewall them out is obviously necessary.

I know that there are tools like fail2ban that can scan apache log files and automatically block IPs or I could use my own script that I've written for that. However, cPhulkd has a wonderfull way of managing it's own iptables rules, white/black list, expiring blocks, etc.

So, here's my question: Is it possible to add custom services, or rules, etc, to cPhulkd to monitor? If it's not, then here's a new feature request ;)

Thanks,
Antonio.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hi Antonio,

It's not supported at this time, but you can open a feature request for ability to monitor custom services with cPHulk at:

Submit A Feature Request

Thank you.
 

locador

Member
Nov 8, 2018
5
0
1
São Paulo, Brazil
cPanel Access Level
Root Administrator
It's not supported at this time
Ok, thanks a bunch. But just out of curiosity, there isn't a workaround with cphulk? Like, inserting a log line in systemd that it would recognize or inserting rows in that cphulk mysql database, etc? How does cphulk actually works? Does it monitors log files, etc? The idea of using a third party tool doesn't sound much attractive.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @locador,

cPHulk isn't designed to support the monitoring of custom services, so there are no feasible workarounds to implement that functionality. It's not checking for log file entries, but rather monitoring login attempts at the PAM level to determine whether a login attempt is a brute force attack.

Generally, the issue you described is better addressed through Mod_Security. Since you mentioned WordPress, here are a couple of threads with discussion you may find helpful:

Use modsecurity / CSF to block all common cms logins?
wp-login.php and mod security

Thank you.