Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPHulk not completely working

Discussion in 'E-mail Discussion' started by Psy14, Aug 25, 2018.

Tags:
  1. Psy14

    Psy14 Registered

    Joined:
    Aug 25, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Philippines
    cPanel Access Level:
    Root Administrator
    I've had cPHulk enabled for a few days now and have set it to block all countries except mine. In the History reports section, I have noticed that it works and has successfully blocked login attempts since the number of reports has gone down significantly. However I noticed that there are still failed login attempts in my exim_reject log file. Below are two failed login attempts from the log file.

    2018-08-23 02:23:52 dovecot_plain authenticator failed for ([127.0.0.1]) [177.130.162.189]: 535 Incorrect authentication data (set_id=irene@xxx.com)
    2018-08-25 13:05:58 dovecot_login authenticator failed for (vwoorqzlub) [186.227.37.16]: 535 Incorrect authentication data (set_id=irene)

    IP location shows that those two IP addresses are from Brazil, which is on the blacklist. There are logins from other countries as well in the log file. Furthermore, there were login attempts from a specific IP address in the reports section that I also added into the blacklisted IPs. Login attempts from the IP disappeared in the history reports, but Exim log file still showed failed login attempts in the days after. I had to manually add the block into the Host Access filter instead. Any ideas why some login attempts are still getting through?

    CentOS release 6.10 (Final)
    cPanel version:11.74.0.6
    envtype:virtuozzo
    CPANEL=release
     
    #1 Psy14, Aug 25, 2018
    Last edited by a moderator: Aug 25, 2018
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    441
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Do check to see where the GeoIP is listed.

    CPHulk often reports a location that differs from the location that eg CSF reports (MaxMind), so that CPHulk reports that an IP that you think is coming from a certain country that you have blacklisted, is coming from somewhere else.

    Example: 89.248.167.XXX (Multiple failed login attempts to an email account)

    CPHulk thinks this is from the Netherlands
    CSF/LFD thinks it is from the Seychelles

    The consensus seems to be that it is from the Seychelles

    Geolocation data from IP2Location (Product: DB6, updated on 2018-8-1) - Seychelles
    Geolocation data from ipinfo.io (Product: API, real-time) - Seychelles
    Geolocation data from EurekAPI (Product: API, real-time) - Seychelles
    Geolocation data from MaxMind (Product: GeoLiteCity, updated on 2018-5-27) - Seychelles
    Geolocation data from DB-IP (Product: Full, 2018-8-2) - Netherlands

    So you can see, if I had blacklisted the Seychelles in CPHulk, the IP would have been allowed to attempt the login; because CPHulk thinks it was from the Netherlands.

    I have asked several times in other threads for information as to what list CPHulk uses, and how often it is updated, but I have never received an answer :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,968
    Likes Received:
    2,119
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Psy14,

    cPHulk will not actually block those IP addresses at the firewall level. Instead, it's designed to ensure authentication is denied on the authentication itself. You'll still see the login attempt itself in the corresponding service log file unless you block the IP addresses using a firewall rule or the host access rules.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice