The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulk auto-block non-existent accounts

Discussion in 'Security' started by Carl Garner, Dec 22, 2016.

Tags:
  1. Carl Garner

    Carl Garner Registered

    Joined:
    Dec 22, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi All,

    I've had cpHulk running for a while now and also added some further protection using the script "update-ipsets" from FireHOL (I don't use the FireHOL product on this server, but the script works without issue). This combination has stopped a large amount of attacks on my system, but they still occur.

    I was wondering, is there a way to configure cpHulk to to auto-block an access attempt to an account that doesn't exist on the system? I'm not bothered if it temporarily blacklists or blocks it at the firewall level either temporarily or permanently.

    Any thoughts or comments greatly appreciated.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    cPhulk is designed to prevent successful authentication into accounts when brute force attempts are detected. If the account username doesn't exist, then authentication isn't possible. Could you elaborate more on the specific scenario you are attempting to account for, or provide an example where additional functionality would be useful?

    Thanks!
     
  3. Carl Garner

    Carl Garner Registered

    Joined:
    Dec 22, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Sure. I receive emails each time cpHulk blocks an attack, but most of the time, these are for accounts (typically email) which don't exist on the system.

    cpHulk.jpg

    Above is a screen shot of one such email. The account address clearly isn't one that would be on my system. Is there any way to block these attacks, as I said, if the account being "tested" isn't a valid account on the system?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You can enable "Block IP addresses at the firewall level if they trigger brute force protection" as part of the "IP Address-based Protection" setting and that will block the IP address at the firewall level.

    cPHulk itself will only prevent successful authentication, and never stops the authentication attempts, except for individual IP addresses that are blocked at the firewall level. This is true regardless of whether the username exists on the system. For instance, if "user123" exists on the system, and "Username-Based Protection" is triggered, additional authentication attempts will still come through. It's just authentication will always fail when the account is in the brute force protection period, even if the attacker uses a correct password.

    If you want to stop the attack itself, you'd need to use firewall rules or a firewall management utility with rules to detect and block the IP addresses (e.g. CSF).

    Thank you.
     
  5. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    56
    cPanel Access Level:
    Root Administrator
    Im experiencing this similar phenomena and wondering if we can add certain non-existing username in block list or blacklist....? I am getting few hundred failed attempt daily from 4-5 username whose domain is not with me. Blocking IP is meaningless in this scenario as spammer must be switching IP every time they are attempting this.
     

    Attached Files:

  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on the specific benefit you'd see from such a feature? cPHulk doesn't block the authentication attempt itself unless the IP address is blocked at the firewall level after the configured number of failed attempts is met. A better approach would be to use a custom firewall rule to detect and block brute force attempts.

    Thank you.
     
Loading...

Share This Page