The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

all-in-one IP protection

Discussion in 'Security' started by sehh, Mar 25, 2014.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    As far as I know, once a system has been compromised (virus, rootkit, etc), it acts as a zombie host for a number of things. Thus, the same compromised system may act as a proxy to send spam, participate in a DDoS attack, perform Brute Force attacks, and all sorts of other "kool" things.

    What I believe would be ideal, is a complete all-in-one system that protects all services from blacklisted/banned IP addresses.

    For example, by extending cPHulk, to cover:

    - exim from spam (instead of exim using /etc/spammeripaddresses).
    - apache from remove exploits and other attacks (blocking IP addresses is faster than sending the requests to be processed via modsec).
    - dovecot from overzealous brute force attempts that flood the authentication processes and don't let normal users get in.

    By extension, it would be ideal if cPHulk would block whole countries per domain/account. Some clients are so local based that they have no communication outside their own country or even organization. It would be ideal for them to block continents/countries. It is something we already do, but with 3rd party tools.

    The result, would be to block an IP address because it tried to perform a Brute Force attack one day, and the next day when it tries to send spam, it will be already blacklisted!!! Next day it may try a remote exploit on apache/php, or whatever, it will still fail to have any effect because it has already been blacklisted the very first day it tried something.

    What do you guys think?


    PS:
    I came to this conclusion because I compared cpHulk IP addresses to my exim/dovecot/apache logs and I found the same addresses being repeated over and over again.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Just use CSF.

    If someone gets blocked for e-mail brute forcing for example, they're blocked in IPtables which ceases all communication to/from your server and that IP address.

    I wouldn't hold your breath waiting for cphulk to do all this when CSF basically already does it and is free. Also, LF_MODSEC will block IP addresses entirely after they trigger more than X number of modsec rules (usually 5).
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend using a firewall management tool such as CSF to handle those types of tasks. However, you are welcome to submit feature requests via:

    Submit A Feature Request

    Thank you.
     
Loading...

Share This Page