Blocked IP Address Continues making connections

Operating System & Version
CentOS v7.9.2009
cPanel & WHM Version
v100.0.5

dagwood777

Registered
Dec 24, 2021
3
1
3
Reno
cPanel Access Level
Root Administrator
I wanted to check on IP addresses that were connecting with my exim mailserver an inordinately large number of times, see who they were, and decide whether to block them or not. I ran the following command: "cat /var/log/exim_mainlog | grabips | egrep -v "no host name" | sort | uniq -c | sort -rn > /tmp/eximips", which yielded the following counts and IPs (just the top of the list):
134876 210.16.100.79
81096 193.56.29.28
25386 38.70.203.82
21563 212.192.219.135
15217 185.239.242.52
12297 2.56.56.191
9698 185.147.34.118
9105 23.97.12.108
8605 182.106.186.189
8448 2.58.149.77
7264 103.153.77.86
6775 212.192.219.148

I then ran: "while read COUNT IP ; do echo "*** $IP ***"; nslookup -timeout=2 $IP | grep "name ="; done < /tmp/eximips"
*** 210.16.100.79 ***
79.100.16.210.in-addr.arpa name = tecmar.biz.100.16.210.in-addr.arpa.
*** 193.56.29.28 ***
*** 38.70.203.82 ***
*** 212.192.219.135 ***
*** 185.239.242.52 ***
52.242.239.185.in-addr.arpa name = scl-0053.mails--servers.org.
*** 2.56.56.191 ***
*** 185.147.34.118 ***
*** 23.97.12.108 ***
*** 182.106.186.189 ***
*** 2.58.149.77 ***
*** 103.153.77.86 ***
*** 212.192.219.148 ***

I checked these in the barracuda RBL lookup and several (in bold) have poor reputations, and with that information, I added them (one at a time) to the blacklist in cpHulkd, expecting connections from those IPs to stop immediately. They didn't. For one ip address, I had to stop/restart cpHulkd AND restart exim and then connections stopped. For another, I restarted both services but the connections continue. I'm not sure what's going on and what I should expect. Shouldn't these changes take place immediately? Do I need to restart a different service? Or restart them in a particular order?
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,046
111
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! cPHulk doesn't prevent these connections from reaching the server; it prevents brute force attacks against login pages. If an IP blocked in cPHulk attempts to log in to cPanel, FTP, etc... It will be stopped, however, it can still reach the actual login pages and websites on the server.

If you want these IP addresses blocked from accessing anything relating to your server at all, you will need to block them within your server's actual firewall, which would likely be iptables or nftables.

What is cPHulk?
 
  • Like
Reactions: dagwood777