cPHulk Use and Blacklist options

The_Hawk

Registered
Nov 28, 2013
2
0
1
cPanel Access Level
Website Owner
This is going to take a little explaining, but I'll do my best and I hope you stick with me.

I am somewhat new to this and turned on the "Send notification when brute force user is detected" option and started seeing lots of failed attempts.

The first question I have is; how big a deal is number of failed attempts? Should I be blacklisting them or not?


***************

On the assumption I should I went all out and blacklisted all ranges:

1.0.0.0/8
through
254.0.0.0/8
(excluding the range my IP was in, ie if my IP is 123.123.123.123 I left the 123.0.0.0/8 range out of the black list).

Then whitelisted my own static public IP of 123.123.123.123

So 99% of the failed attempt notifications went away and I started to get the occasional hit from things like 123.1.x.x etc etc so started blacklisting the smaller CIDR ranges of 123.1.0.0/16 as they popped up.

So I ended up with about 250 odd entries in the blacklist.


But... That's all well and good when I'm in the office with a static IP, but not so useful when I'm on the road with my mobile internet connection in a different dynamic range.

So I've managed to track down a somewhat accurate listing of the IP pools that my ISP uses for the mobile connections. The plan was to remove these from the black list (but not add them to the white list). That way I get notified if they are used but I'm not specifically white listing them....

With me so far??


If the pool of potential IP's are a series of /16 ranges and I want to tighten the blacklist I could add back in the bits out of the range.

ie if the carriers range if 123.1.0.0/16 I could then add
123.2.0.0/16
through
123.254.0.0/16

to the blacklist.


So I've put together this list and I now have a shade over 2,200 entries for the black list. Is this too many things to put into the black list?


tl;dr
How many items is too many in the blacklist?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Hello :)

The additional entries added to the black or white list for cPhulkd is not really going to alter performance. Note that if you are the only person accessing your server, you may find the following option more useful for completely blocking access to services:

Host Access Control

Thank you.