The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk Not Always Blocking

Discussion in 'General Discussion' started by rezman, Apr 27, 2012.

  1. rezman

    rezman Well-Known Member

    Joined:
    Feb 3, 2011
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've been using Cpanel for a few years now and for the second time in the past month I had a brute force attack that cPHulk didn't seem to block.

    The brute attack was on dovecot pop3-login both times. They slam every IP on the server. I have a /25 for SSL web sites. cPHulk sends out the email like normal but doesn't seem to block the IP. In return it keep sending out the warning email causing a flood. The only reason I found these was due to the mail queue on my other mail server receiving the emails jumping to little over over 5000 within a short time. Total emails send according to the mail send summery this morning is 4,995. The only way to stop it was to add it into the firewall.

    Now the Cpanel server load wasn't very high so it was handling the failed login attempts with ease but shouldn't the Cpanel server stop sending the warning emails once cPHulk blocks the IP address?

    I do still have the following in my Brutes (Excessive Login Failures):

    Code:
    IP: 190.213.105.62
    
    Notes: 955 failed login attempts to account moon (system) -- Large number of attempts from this IP: 190.213.105.62
    
    Begin:  2012-04-27 02:04:41
    Expire: 2012-05-11 02:04:41
    
    Even though it only says 955, I count 222,397 in /var/log/maillog

    Code:
    # grep "190.213.105.62" maillog | grep "auth failed" | wc -l
    222397
     
  2. ruzbehraja

    ruzbehraja Well-Known Member

    Joined:
    May 19, 2011
    Messages:
    383
    Likes Received:
    7
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    You may want to open a ticket with cpanel.

    In addition you may want to consider disabling CPHulk and using CSF, which uses iptables to filter out DoS type attacks.
     
Loading...

Share This Page