cPHulk Brute Force Protection

Operating System & Version
CENTOS 7.9 kvm
cPanel & WHM Version
v98.0.6

lewdigital

Registered
Sep 15, 2020
2
0
1
Greece
cPanel Access Level
Root Administrator
I am experiencing a one day block for my public ip everyday....


Configuration Settings
Username-based Protection
ON
Username-based protection tracks login attempts for user accounts. When disabled, cPHulk will not lock user accounts, but existing account locks will remain.
Brute Force Protection Period (in minutes)
15

Maximum Failures by Account

2
ON : Apply protection to local addresses only
OFF : Apply protection to local and remote addresses
OFF : Allow username protection to lock the “root” user.


IP Address-based Protection
ON
IP Address-based protection tracks login attempts from specific IP addresses. When disabled, cPHulk will not block IP addresses, but existing blocks will remain.
IP Address-based Brute Force Protection Period (in minutes)

15
Maximum Failures per IP Address

1
Command to Run When an IP Address Triggers Brute Force Protection


ON: Block IP addresses at the firewall level if they trigger brute force protection


One-day Blocks
Maximum Failures per IP Address before the IP Address is Blocked for One Day
2

Command to Run When an IP Address Triggers a One-Day Block


ON : Block IP addresses at the firewall level if they trigger a one-day block
Login History
Duration for Retaining Failed Logins (in minutes)
129600

---------------------------------------------------------------------------------------------------------------

The only thing that i do is to have opened the email address via outlook .
Nothing else to trigger an ip block , what is the problem here?
It started random , not from the begin of activation of Cphulk .

Im willing to pay to get rid of this or for better configure of CpHulk .
I own a Cpanel licence via Contabo and they refused to assist me with this because it is firewall settings.
 

Attachments

Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Hey there! It definitely seems odd that an email client connecting would trigger that block. The best thing to do would be to add your local IP address to the server's whitelist in WHM >> cPHulk Brute Force Detection, as that would keep you from being blocked anywhere in the future. If your home IP address doesn't change frequently, it's a good idea to have that whitelisted anyway in case you're doing testing with an account to avoid false positives as you manage users.
 

lewdigital

Registered
Sep 15, 2020
2
0
1
Greece
cPanel Access Level
Root Administrator
Hey there! It definitely seems odd that an email client connecting would trigger that block. The best thing to do would be to add your local IP address to the server's whitelist in WHM >> cPHulk Brute Force Detection, as that would keep you from being blocked anywhere in the future. If your home IP address doesn't change frequently, it's a good idea to have that whitelisted anyway in case you're doing testing with an account to avoid false positives as you manage users.
Thank you for your reply , this is what i am doing everytime i loging from mobile with 4g and i add the home ip to the whitelist .
But it is weird that this is happening.
I believe that often i get a message from google also that my ip is with suspicious traffic but for sure it is not something on my computer except the public ip that i get from my isp is often blocked on some RBL lists .

I dont know if anyone else experiencing the same with Cosmote .

Is there any way to find out what triggers the 1 day ban to that ip ?
Probably if i will remove the 1 day block i will not getting banned but what's the point then to use CPHULK.


And as you can see in attached files , i dont have any other rule is secured like not secured.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Since the issue happens when you check the mail from Outlook, you may want to check the /var/log/maillog file on the system as that will show authentications to the mailserver. That log may show odd authentication issues from the client if that is what is triggering this.