cpHulk alerts while running CSF

vlus

Member
Nov 6, 2003
16
0
151
Hello,

I understand (albeit vaguely :) that cpHulk and CSF do their jobs differently, however, I have CSF set up with CC_ALLOW_FILTER=US which my understanding is will essentially block or make my website, mail servers, etc invisible to virtually all other IP's.

I am still getting several Failed Login alerts each day from cpHulk from around the world, which I dont quite understand. If CSF is protecting me with CC_ALLOW how could I still get hit?

Thanks for any guidance. I've been trying to post to the CSF board, but havent had any replies yet, so I'm hoping you folks can help :)

Thanks!
Vlus
 

jakesully

Well-Known Member
Nov 9, 2011
50
0
56
cPanel Access Level
Root Administrator
i don't think CC_ALLOW_FILTER=US will be protecting the cpanel ports area since you gota enable SSH keys for alerts you get to stop if it's failed login attempt mails you get from cpanel/whm. Also disable password login on SSH and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yours :) that way it can also stop these nasty brute force bots trying to gain root access :)
 

vlus

Member
Nov 6, 2003
16
0
151
Much appreciate your reply!

Also disable password login on SSH
already have done that

and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yoursalready have done that

These measures stop the hackers from getting in but they dont stop the hack attempt, since they can still 'see' my server.

Just moments ago CSF/LFD blocked a Chinese hack attempt at my cPanel. So, this brings me full circle to my initial question. If CC_ALLOW_FILTER=US includes only those IP addresses which are allowed even "see" that my IP exists, how can someone on any other IP address attempt a hack at an IP that they aren't supposed to be able to "see" exist?

Not sure if I'm asking this question properly, or if I'm understand the correct function of CC_ALLOW_FILTER for that matter. From what I've read on this, it just seems this filter would stop everyone else at the door, and therefore there would not be any alerts at all?

Possible epiphany<sp>... or, does it stop everyone else at the door and send the alert that it blocked them? LOL, I don't know... is there anyone out there not in the US that wants to try to surf my site or send me an email? Theoretically you should not be able to accomplish either :)

Vlus
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,260
463
Hello :)

It's possible this is a bug with the CSF software that you will need to report to it's developers. Have you tried restarting CSF to see if that makes a difference?

Thank you.