The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk Doesn't work?

Discussion in 'General Discussion' started by jazz57, Jul 18, 2007.

  1. jazz57

    jazz57 Member

    Joined:
    Jun 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I've enabled the new Brute Force Protection (cPHulk), but it doesn't seem to work! I can't really find any documentation about it either, save for what is included on the configuration screen itself.

    Last night logs showed a single IP trying 8100 different logins using random usernames/passwords. cPHulk didn't do a thing.

    Am I missing something or is this one of those "feel good" features that doesn't really do anything useful? Has anyone actually gotten it to work?

    Thanks for reading,
    Jazzy
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Works here. Did you change any settings?
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    It works well for me (managed to trip the protections myself many times on the test server I use).
     
  4. outlaw web

    outlaw web Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    lol

    well it works too well for me :)

    OWM:confused:
     
  5. spearhead

    spearhead Member

    Joined:
    Mar 20, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    More details if you wish to get help. What ver of Cpanel? What OS? What was in the logs that was the malfunction? I never had it work either - but I've been using APF & BFD and with custom bash scripts for BFD I run it accross all FTP, Apache & exim login failures (along with SSH but that's simple). But, it's not as easy to work with as the Cpanel tool appears to be.

    Centos does some odd things by default with logging.
     
  6. Frimon86

    Frimon86 BANNED

    Joined:
    Jun 4, 2007
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    What cpanel version are you using?
     
  7. jazz57

    jazz57 Member

    Joined:
    Jun 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    It's the CURRENT version (WHM 11.2.0/cPanel 11.6.1) on CentOS 4.5. I can see the process cPhulkd running but it doesn't seem to do anything. There are no error messages. Default configs.

    I think I may go for a more "tried and true" protection method until I know more about how it works.

    Jazzy
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Which build of CURRENT are you using? The latest build (as of posting) is 15328.
     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Want to test it? Use the wrong password or username to login to your cPanel. When it fails, try again. If that doesn't get you blocked, try one more time and you will be.

    That said, until my IP can be added to a bypass list, (as in CSF) this is disabled.

    As with a few things in the newest cPanel, this is not exactly ready for prime time. Great idea, not quite there yet. IMHO of course.
     
  10. jazz57

    jazz57 Member

    Joined:
    Jun 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
     
  11. jazz57

    jazz57 Member

    Joined:
    Jun 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Yes, it's version 15328.
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
     
  13. jazz57

    jazz57 Member

    Joined:
    Jun 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
     
  14. dexus

    dexus Well-Known Member

    Joined:
    Jan 14, 2006
    Messages:
    169
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I enabled yesterady cpHulk on one server just to test it, and I checked option "Send notification when brute force user is detected", just to be informed whan cpHulk do something...

    I received today few mails like this:

    Subject: Massive amount of failures from IP
    0 login failures attempts to account user (system)

    Shouldn't in the subject be some IP adress?

    Is 0 login failures realy such a "Massive amount of failures" :) lol

    Does anyone else have such problem? Is this just a notification emails problem?
     
  15. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It might be. What is your cPanel version?
     
  16. dexus

    dexus Well-Known Member

    Joined:
    Jan 14, 2006
    Messages:
    169
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I think latest release WHM 11.2.0 cPanel 11.6.0-R15076
     
  17. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Just came across this one myself today. Failures was set to 5 in BFP. Login failures in the email sent said 4, so I guess on the 5th it locked the IP out. (or so it would have you think)

    It did not show the IP in the email, but did show a customers email address. Checking via cli showed a nice long list of the same IP which was not being blocked though.

    Manually blocked it, seconds later memory use returned to normal.

    BFP shows the IP as blocked on the list as expected.

    I'm done with this one till its been improved a bit, if I use it again at all. Not enough info for my tastes in the email, and now, not even sure it works for all things as expected.
    (although I have been able to lock myself out testing it)

    The IP BFP reports should have been listed in mail, and where this email came from might have been nice as well. ;)

    Like chirpys CSF does perfectly. http://www.configserver.com/cp/csf.html
    Which most all of us trusts 110%

    ATM running:

    WHM 11.2.0 cPanel 11.8.0-C15896

    I do believe CSF handles this type of situation much more gracefully too. So, running them side by side may not be a very good idea as originally thought.

    If BFP blocked the IP, then why did memory continue to skyrocket and the IP continue to be connected seemingly? (thinking out loud here)

    CSF kicks these types of issues to the curb with extreme prejudice, emails you a report and lets you know where the email came from. All important things, IMHO.

    Nice idea, not quite ready for prime time I don't think.
     
  18. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Thanks for your reporting, Infopro. Would you mind also stating which OS/Distro you are using? Thanks
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    WHM 11.2.0 cPanel 11.8.0-C15896
    REDHAT Enterprise 4 i686 - WHM X v3.1.0
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,452
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just a little bit more on this, the user was logging in via webmail and could not remember password. That would explain the number of IP connections I think.

    Not sure why memory spiked so bad though. Server has 2GB, this failed login, blocked by BFP? ate most of it during the time it was happening until IP was blocked manually using CSF.

    Maybe that's enough for QA to take a closer look and lock themselves out to test. I'm not about to. :p
     
Loading...

Share This Page