Block IP addresses at the firewall level - Safe to uncheck?

glauco

Member
Aug 26, 2011
16
1
53
Ok, I know you should never do anything to compromise security. My problem is, the more clients I sign up to my VPs, the more time I seem to waste unblocking morons who can't follow the simple instructions I send them for setting up email accounts, or decide to use their phone's auto-setup (which never works) and get themselves locked out.
Whitelisting IPs isn't a viable option, all my clients are UK based and most (if not all) internet providers here assign dynamic IPs that get refreshed on a daily basis.
I am really, really tempted to uncheck "Block IP addresses at the firewall level if they trigger brute force protection" in the cPHulk configuration, so at least when I send clients their email settings I can say "if you mess it up, you'll get locked out for a few minutes, check your settings and try again later, until you get it right" instead of having to manually unblock them every time.
My question is: how risky is this policy? Realistically, is my server still safe if genuinely malicious IPs only get locked for a limited time rather than permanently, or is this setting really necessary for complete safety? Obviously I don't want any disasters, but I would love to spend less time dealing with stupid enquiries.
Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
My question is: how risky is this policy? Realistically, is my server still safe if genuinely malicious IPs only get locked for a limited time rather than permanently, or is this setting really necessary for complete safety? Obviously I don't want any disasters, but I would love to spend less time dealing with stupid enquiries.
Hello :)

Are you utilizing CSF to help block brute force attacks? If so, it's unlikely you are sacrificing very much security when disabling this option in cPhulkd, as CSF should pick up the attacks.

Thank you.
 

glauco

Member
Aug 26, 2011
16
1
53
Yes CSF is installed though I've not done any configuration on it. The "check server security" button highlights a lot of options I need to check. As long as I configure CSF properly, I can go ahead and disable that option?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Yes, the option to block IP addresses in cPHulk is not required, so you can disable it if you prefer to use CSF to prevent these types of attacks.

Thank you.