shacker23

Well-Known Member
Feb 20, 2005
263
1
168
We've always run ConfigServer's excellent CSF on our cPanel servers, with great results. However, we use it in a fairly basic way, without too much advanced configuration. Brute force detection and blocking is our own main goal. A while back, cPanel introduced cPHulk, which seems to do the same thing but with far fewer configuration options.

We are now considering dropping CSF and running with just cPHulk. Has anyone gone through a similar conversion? Any regrets? Any gotchas we should aware of?

Thanks.
 

shacker23

Well-Known Member
Feb 20, 2005
263
1
168
Sorry, I should clarify. We've used CSF for years but have never had a need for the more advanced features. Basically we use it for auto-blocking, whitelisting and blacklisting. And cPHulk provides all of that. Now we have a situation where CSF is making things a bit tricky, and we'd prefer a simpler solution, so we're considering no longer using both, and going with cPHulk only. I should have phrased the question like this: Will we lose any level of security by stopping CSF and using cPHulk only. Since the cPHulk is the "official" solution, I'd like to hope it's considered by cPanel to be very secure.

To confirm, both tools simply manipulate iptables based on bad behavior, right? It's not like they're using totally different baseline techniques...
 

LaceHost-Ishan

Active Member
Dec 6, 2008
32
0
56
Pune, India
cPanel Access Level
DataCenter Provider
cPHulk is only Brute Force detection/failed login blocking , whereas a Firewall or a security solution (CSF) includes a lot more.

If you are interested in only auto-blocking, cPhulk is good, but a properly configured firewall is a must for security.

What if you get an apache ddos attack? CSF will help you mitigate it, but cPHulk won't. cPHulk is good at what it does, but it cannot replace an entire security solution.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

If you want a simpler solution, you should simply deal with iptables directly, since iptables would then cut out any overhead in using another product layer on top of it. You can add your own entries into iptables and block based on number of login attempts within a set timeframe. There are sites discussing how to do this:

http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

The examples are for SSH, but you can use it for any port that you want to restrict the number of login attempts in a set time period.
 

shacker23

Well-Known Member
Feb 20, 2005
263
1
168
Many thanks Tristan and Lace - exactly the kind of info we were looking for. I didn't realize they were fundamentally different in approach - assumed cPHulk was just a stripped down firewall, but apparently not. In this case, we'll keep CSF and dig deeper into configuring it for the weird use case we've got here.
 

shacker23

Well-Known Member
Feb 20, 2005
263
1
168
By the way, I would suggest that cPanel should say in big bold letters in the cPHulk documentation:

Use cPHulk for Brute Force Protection

Note: cPHulk is NOT a firewall product, and should not be used in lieu of a full-featured firewall. cPHulk is fully compatible with popular cPanel firewall systems.


In fact, it would be good to put words to that effect directly into the cPHulk UI in WHM. I wonder how many hosts out there are running cPHulk alone, mistakenly thinking that it provides DDoS and other protections.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
41
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello shacker23,

If you would like the wording changed in our documentation, you may wish to submit a feature request for that change to this location:

http://go.cpanel.net/iwant

Thanks!
 

anton_latvia

Well-Known Member
PartnerNOC
May 11, 2004
424
44
178
Latvia
cPanel Access Level
Root Administrator
Hm.. I might have misunderstood cpHulk or at least had bad experience when it was first introduced. Since that we liked and used CSF with cpHulk disabled. But there is one issue with CSF/LFD. CPU usage. For unknown reason. Probably it is reparsing log files or something like that. I liked approach of cpHulk to use MySQL to store each login attempt. But still CSF/LFD has more wider list of options. Can anyone suggest how to use both products (if this is a good idea) or which of their functions overlaps?

Anton.
 

Data

Member
Nov 19, 2013
8
0
51
cPanel Access Level
Reseller Owner
Excuse me ..cPHulk what?

With all due respect, I have spent dozens of hours watching cPHulk's behavior and is it a true ****.

If you have more than 200 clients on the server, you can check how the IP of your clients are being blocked cPHulk does not distinguish good from bad. You can see there are attempts to access an e-mail from different countries and if your client accesses at that moment their IP is blocked.

It is common for several users connected from the same IP to be blocked by cPHulk if they charge mobile phones, Outlook or Webmail at the same time.
The worst of all is that to unblock them you have to erase all the threat history since you cannot individually select the IPs to add them to the white list or black list, you will have to do them one by one by hand.

If your clients barely have an email to connect from time to time, there won't be much of a problem why they won't complain if they are blocked for a few minutes. But if your client has a team, he's already screwed with cPHulk.

Even adding the IP to the whitelist in cPHulk is not completely free of being blocked.

Do you know what customers tell me when I tell them that their service has been blocked for security? ... "They say me that with a damn Gmail account never happens nothing to them" and they threaten me saying that I either fix it or they stop being my customers.

Regards = :0)