cPHulk blocks IP's after 5 attempts, no matter what the value is set at?

Benjamin D.

Well-Known Member
Jan 28, 2016
133
19
68
Canada
cPanel Access Level
Root Administrator
Hi,

cPHulk is (and always was) set to 50 maximum failures per IP address, but it seems like since I upgraded to WHM 66.0 a couple weeks ago, it's now always blocking the IP addresses after only 5 attempts, no matter what the "maximum failures per IP address" value is set at.

I've always been using cPHulk paired with ConfigServer CSF, if it makes any difference, nothing really changed except for the WHM 64.0 to 66.0 upgrade.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

To clarify, do you see corresponding entries in /usr/local/cpanel/logs/cphulkd.log that show logins from specific IP addresses are blocked by cPhulk, or are you just noticing that logins are failing?

Thank you.
 

Benjamin D.

Well-Known Member
Jan 28, 2016
133
19
68
Canada
cPanel Access Level
Root Administrator
@kernow It seems CSF v11.0 came with a default value of 5 for blocking SMTP login attempts. I'm taking a look at new settings that came with that version and I'll change the default values. I'll see in a day if it makes a difference. So basically, since those CSF settings override cPHulk's, then I guess I could turn cPHulk off completely, no?

Thanks for your much appreciated time.
 

Muhammed Fasal

Well-Known Member
Aug 9, 2017
54
10
8
India
cPanel Access Level
Root Administrator
Hi,

cPHulk is only Brute Force detection/failed login blocking, whereas a Firewall or a security solution (CSF) includes a lot more.

If you need advanced features for your server security like to avoid Apache DDOS attack then only you need to think about CSF otherwise cPHulk will almost do all the other features provided by CSF like auto-blocking of IP address on failed login attempts.

Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables.

I have found another thread in which you can find a lot more info about these two:

cPHulk vs. CSF
 

Muhammed Fasal

Well-Known Member
Aug 9, 2017
54
10
8
India
cPanel Access Level
Root Administrator
If so, you can disable cpHulkd service on your server safely. Because they both do the same job, CSF will do more than what cpHulkd can do.

Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables.

As I have mentioned cPHulk uses a database, it may consume more resource while on a BruteForce attack.

You can check the cPHulkd log entries at:

tail -f /usr/local/cpanel/logs/cphulkd.log

You can follow this step on Commandline to disable cPHulkd service:

/usr/local/cpanel/bin/cphulk_pam_ctl --disable

OR

/usr/local/cpanel/etc/init/stopcphulkd