Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk blocks IP's after 5 attempts, no matter what the value is set at?

Discussion in 'Security' started by Benjamin D., Oct 12, 2017.

Tags:
  1. Benjamin D.

    Benjamin D. Active Member

    Joined:
    Jan 28, 2016
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hi,

    cPHulk is (and always was) set to 50 maximum failures per IP address, but it seems like since I upgraded to WHM 66.0 a couple weeks ago, it's now always blocking the IP addresses after only 5 attempts, no matter what the "maximum failures per IP address" value is set at.

    I've always been using cPHulk paired with ConfigServer CSF, if it makes any difference, nothing really changed except for the WHM 64.0 to 66.0 upgrade.
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    907
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I'm guessing you have CSF set to block IPs after 5 attempts?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To clarify, do you see corresponding entries in /usr/local/cpanel/logs/cphulkd.log that show logins from specific IP addresses are blocked by cPhulk, or are you just noticing that logins are failing?

    Thank you.
     
  4. Benjamin D.

    Benjamin D. Active Member

    Joined:
    Jan 28, 2016
    Messages:
    27
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    @kernow It seems CSF v11.0 came with a default value of 5 for blocking SMTP login attempts. I'm taking a look at new settings that came with that version and I'll change the default values. I'll see in a day if it makes a difference. So basically, since those CSF settings override cPHulk's, then I guess I could turn cPHulk off completely, no?

    Thanks for your much appreciated time.
     
  5. Muhammed Fasal

    Joined:
    Aug 9, 2017
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    cPHulk is only Brute Force detection/failed login blocking, whereas a Firewall or a security solution (CSF) includes a lot more.

    If you need advanced features for your server security like to avoid Apache DDOS attack then only you need to think about CSF otherwise cPHulk will almost do all the other features provided by CSF like auto-blocking of IP address on failed login attempts.

    Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables.

    I have found another thread in which you can find a lot more info about these two:

    cPHulk vs. CSF
     
  6. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    907
    Likes Received:
    13
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    We don't use it ourselves, CSF does the job.
     
  7. Muhammed Fasal

    Joined:
    Aug 9, 2017
    Messages:
    24
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    India
    cPanel Access Level:
    Root Administrator
    If so, you can disable cpHulkd service on your server safely. Because they both do the same job, CSF will do more than what cpHulkd can do.

    Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables.

    As I have mentioned cPHulk uses a database, it may consume more resource while on a BruteForce attack.

    You can check the cPHulkd log entries at:

    tail -f /usr/local/cpanel/logs/cphulkd.log

    You can follow this step on Commandline to disable cPHulkd service:

    /usr/local/cpanel/bin/cphulk_pam_ctl --disable

    OR

    /usr/local/cpanel/etc/init/stopcphulkd
     
Loading...

Share This Page