The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk Brute Force Protection causing valid logins to fail

Discussion in 'Security' started by Mugoma, Aug 1, 2016.

Tags:
  1. Mugoma

    Mugoma Member

    Joined:
    Aug 1, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We enabled cPHulk Brute Force Protection on one of our servers about 6 months ago.

    One rule we use when we get brute force attack is check the country the attack is originating from. If it's not from the country we operate in we block the IP address subnet permanently.

    At first this worked without a problem. There were no complains from users.

    But for last 3 months we have received several complains from the country we operate in. Whenever we receive such complains we check if the IP is in among IP range in the blocked list. Or if it was temporarily blocked. A few times we have located such in the blocked list and removed. But most time the IP doesn't appear on any of the records.

    For sometime we whitelisted the affected IP to resolve the issue. But the complains are now too many, whitelisting IPs doesn't look like the best way of handling the issue.

    We also think that disabling cPHulk Brute Force Protection will expose the server.

    Couple of questions:
    1. Why would cPanel's cPHulk block an IP and leave no trace of such a blockage?
    2. What's the remedy to the situation we find ourselves in?

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Is "Block IP addresses at the firewall level if they trigger brute force protection" enabled in "WHM Home >> Security Center >> cPHulk Brute Force Protection"? If so, this will block IP addresses at the firewall level. Review the following document, and then compare the documented settings with your configured values:

    cPHulk Brute Force Protection - Documentation - cPanel Documentation

    Thank you.
     
  3. Mugoma

    Mugoma Member

    Joined:
    Aug 1, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We have the following settings.

    Brute Force Protection Period (in minutes): 5
    Maximum Failures by Account: 15
    IP Address-based Brute Force Protection Period (in minutes): 60
    Maximum Failures per IP Address: 3
    Block IP addresses at the firewall level if they trigger brute force protection: FALSE (UNCHECKED)
    Maximum Failures per IP Address before the IP Address is Blocked for One Day: 10
    Block IP addresses at the firewall level if they trigger a one-day block: TRUE (CHECKED)
    Duration for Retaining Failed Logins (in minutes): 360


    Then:
    1. Apply protection to local addresses only
    2. IP Address-based Protection

    Before raising the ticket I check the firewall I didn't see anything:

    # iptables -L INPUT -v -n
    Chain INPUT (policy ACCEPT 263K packets, 162M bytes)
    pkts bytes target prot opt in out source destination
    86M 27G acctboth all -- * * 0.0.0.0/0 0.0.0.0/0
    217M 75G cphulk all -- * * 0.0.0.0/0 0.0.0.0/0

    So, to answer your question there's an option to block at the firewall but the firewall doesn't show anything. Is there another way to check this?

    Another thing, we receive an email for all brute force attempts. For all thee cases where there's no record for the IP being blocked on WHM we also don't have an email pertaining to that IP being involved in brute force.

    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can browse to "WHM >> Security Center >> cPHulk Brute Force Protection", select the "History" tab, and choose the "One-Day Blocks" option from the drop-down menu. Do you see any entries in the interface when completing these steps? If not, how long ago did you last notice this issue?

    Thank you.
     
Loading...

Share This Page