cPHulk not completely working

[Psy14]

I've had cPHulk enabled for a few days now and have set it to block all countries except mine. In the History reports section, I have noticed that it works and has successfully blocked login attempts since the number of reports has gone down significantly. However I noticed that there are still failed login attempts in my exim_reject log file. Below are two failed login attempts from the log file.

2018-08-23 02:23:52 dovecot_plain authenticator failed for ([127.0.0.1]) [177.130.162.189]: 535 Incorrect authentication data ([email protected])
2018-08-25 13:05:58 dovecot_login authenticator failed for (vwoorqzlub) [186.227.37.16]: 535 Incorrect authentication data (set_id=irene)

IP location shows that those two IP addresses are from Brazil, which is on the blacklist. There are logins from other countries as well in the log file. Furthermore, there were login attempts from a specific IP address in the reports section that I also added into the blacklisted IPs. Login attempts from the IP disappeared in the history reports, but Exim log file still showed failed login attempts in the days after. I had to manually add the block into the Host Access filter instead. Any ideas why some login attempts are still getting through?

CentOS release 6.10 (Final)
cPanel version:11.74.0.6
envtype:virtuozzo
CPANEL=release

 

[rpvw]

Do check to see where the GeoIP is listed.

CPHulk often reports a location that differs from the location that eg CSF reports (MaxMind), so that CPHulk reports that an IP that you think is coming from a certain country that you have blacklisted, is coming from somewhere else.

Example: 89.248.167.XXX (Multiple failed login attempts to an email account)

CPHulk thinks this is from the Netherlands
CSF/LFD thinks it is from the Seychelles

The consensus seems to be that it is from the Seychelles

Geolocation data from IP2Location (Product: DB6, updated on 2018-8-1) - Seychelles
Geolocation data from ipinfo.io (Product: API, real-time) - Seychelles
Geolocation data from EurekAPI (Product: API, real-time) - Seychelles
Geolocation data from MaxMind (Product: GeoLiteCity, updated on 2018-5-27) - Seychelles
Geolocation data from DB-IP (Product: Full, 2018-8-2) - Netherlands

So you can see, if I had blacklisted the Seychelles in CPHulk, the IP would have been allowed to attempt the login; because CPHulk thinks it was from the Netherlands.

I have asked several times in other threads for information as to what list CPHulk uses, and how often it is updated, but I have never received an answer

 

[cPanelMichael]

I had to manually add the block into the Host Access filter instead. Any ideas why some login attempts are still getting through?

Hello @Psy14,

cPHulk will not actually block those IP addresses at the firewall level. Instead, it's designed to ensure authentication is denied on the authentication itself. You'll still see the login attempt itself in the corresponding service log file unless you block the IP addresses using a firewall rule or the host access rules.

Thank you.