CPHulk not blocking attempted attackers as configured

DeWebDude

Member
Mar 6, 2012
12
0
51
cPanel Access Level
Root Administrator
Hello All,

I have enabled and configured CPHulk Brute Force Protection but it doesn't blacklist the offending IP's quickly or at all like the configuration I have put in.

In order I have the options filled out:
1440
30
4
4
30
All Check box's are checked.

I am expecting that after 4 failures the IP will be blacklisted, however I get email notification showing:
/24: https://myserver.net:2087/cgi/bl.cgi?ip=218.244.245.0/24

the email also shows other IP's with 16, 20, 30 failures and if I look at the blacklist on WHM it didn't add that IP to the blacklist.
I do see some IP's it blacklisted, but many are not listed.

I also see literally 100's of the below line from lastb:
root ssh:notty 218.244.245.251 Fri Mar 30 07:08 - 07:08 (00:00)

If I don't click on the link from the email to add it to the blacklist it's not happening.
I am running WHM 11.32.2 (build 8) CENTOS 5.8 i686.

Any suggestions appreciated.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

cPHulk will not actually block IP addresses from accessing your server. Instead, it's used to prevent authentication to the services it monitors. You will need to use a firewall to actually block an IP address from your server.

Thank you.
 

linux7802

Well-Known Member
Dec 14, 2007
232
1
68
cPanel Access Level
Root Administrator
Hello DeWebDude,

The cPHulk is only disable the access for the respective service for a certain time period only but you will be able to access the other services without any problem therefore if you are using the cPHulk for security purpose then its always better, if you use the CSF firewall as it will provide you the good security as well as monitoring E-mail alerts for your server which will help you to secure the server.The csf firewall can be managed easily from the WHM once you installed CSF firewall from the shell. You can refer to the following URL for more information about CSF firewall.

ConfigServer Scripts Forum • View forum - General Discussion (csf)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
If you would like, you could use WHM > Host Access Control to block any IPs but those you allow from accessing sshd, whostmgrd and several other services. Please see our documentation on that area:

Host Access Control

If you do not wish to use a separate, unsupported firewall application such as CSF or APF for some reason, Host Access Control is the supported method to go for blocking IPs from hitting set services other than those IPs that you specifically whitelist.