The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulk alerts while running CSF

Discussion in 'Security' started by vlus, Jan 3, 2014.

  1. vlus

    vlus Member

    Joined:
    Nov 6, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I understand (albeit vaguely :) that cpHulk and CSF do their jobs differently, however, I have CSF set up with CC_ALLOW_FILTER=US which my understanding is will essentially block or make my website, mail servers, etc invisible to virtually all other IP's.

    I am still getting several Failed Login alerts each day from cpHulk from around the world, which I dont quite understand. If CSF is protecting me with CC_ALLOW how could I still get hit?

    Thanks for any guidance. I've been trying to post to the CSF board, but havent had any replies yet, so I'm hoping you folks can help :)

    Thanks!
    Vlus
     
  2. jakesully

    jakesully Well-Known Member

    Joined:
    Nov 9, 2011
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    i don't think CC_ALLOW_FILTER=US will be protecting the cpanel ports area since you gota enable SSH keys for alerts you get to stop if it's failed login attempt mails you get from cpanel/whm. Also disable password login on SSH and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yours :) that way it can also stop these nasty brute force bots trying to gain root access :)
     
  3. vlus

    vlus Member

    Joined:
    Nov 6, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Much appreciate your reply!

    Also disable password login on SSH
    already have done that

    and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yoursalready have done that

    These measures stop the hackers from getting in but they dont stop the hack attempt, since they can still 'see' my server.

    Just moments ago CSF/LFD blocked a Chinese hack attempt at my cPanel. So, this brings me full circle to my initial question. If CC_ALLOW_FILTER=US includes only those IP addresses which are allowed even "see" that my IP exists, how can someone on any other IP address attempt a hack at an IP that they aren't supposed to be able to "see" exist?

    Not sure if I'm asking this question properly, or if I'm understand the correct function of CC_ALLOW_FILTER for that matter. From what I've read on this, it just seems this filter would stop everyone else at the door, and therefore there would not be any alerts at all?

    Possible epiphany<sp>... or, does it stop everyone else at the door and send the alert that it blocked them? LOL, I don't know... is there anyone out there not in the US that wants to try to surf my site or send me an email? Theoretically you should not be able to accomplish either :)

    Vlus
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's possible this is a bug with the CSF software that you will need to report to it's developers. Have you tried restarting CSF to see if that makes a difference?

    Thank you.
     
Loading...

Share This Page