The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk vs. CSF

Discussion in 'Security' started by shacker23, Nov 1, 2011.

  1. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    We've always run ConfigServer's excellent CSF on our cPanel servers, with great results. However, we use it in a fairly basic way, without too much advanced configuration. Brute force detection and blocking is our own main goal. A while back, cPanel introduced cPHulk, which seems to do the same thing but with far fewer configuration options.

    We are now considering dropping CSF and running with just cPHulk. Has anyone gone through a similar conversion? Any regrets? Any gotchas we should aware of?

    Thanks.
     
  2. cwalke32477

    cwalke32477 Well-Known Member

    Joined:
    Mar 2, 2010
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, Georgia
    cPanel Access Level:
    Root Administrator
    You may want to look into the more advanced options of CSF.
    It's way more powerful than cphulk. You can also use the two side by side.
     
  3. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    Sorry, I should clarify. We've used CSF for years but have never had a need for the more advanced features. Basically we use it for auto-blocking, whitelisting and blacklisting. And cPHulk provides all of that. Now we have a situation where CSF is making things a bit tricky, and we'd prefer a simpler solution, so we're considering no longer using both, and going with cPHulk only. I should have phrased the question like this: Will we lose any level of security by stopping CSF and using cPHulk only. Since the cPHulk is the "official" solution, I'd like to hope it's considered by cPanel to be very secure.

    To confirm, both tools simply manipulate iptables based on bad behavior, right? It's not like they're using totally different baseline techniques...
     
  4. LaceHost-Ishan

    LaceHost-Ishan Active Member

    Joined:
    Dec 6, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Pune, India
    cPanel Access Level:
    DataCenter Provider
    cPHulk is only Brute Force detection/failed login blocking , whereas a Firewall or a security solution (CSF) includes a lot more.

    If you are interested in only auto-blocking, cPhulk is good, but a properly configured firewall is a must for security.

    What if you get an apache ddos attack? CSF will help you mitigate it, but cPHulk won't. cPHulk is good at what it does, but it cannot replace an entire security solution.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    cPHulk uses a MySQL database that does not use iptables in the manner CSF is using. It is more intensive to block using cPHulk due to the fact it blocks based on logging authentications to a MySQL database and then determining actions based on it. It is actually more streamlined and easier to manage CSF / LFD due to it dealing directly with iptables via flat files.

    If you want a simpler solution, you should simply deal with iptables directly, since iptables would then cut out any overhead in using another product layer on top of it. You can add your own entries into iptables and block based on number of login attempts within a set timeframe. There are sites discussing how to do this:

    http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
    http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

    The examples are for SSH, but you can use it for any port that you want to restrict the number of login attempts in a set time period.
     
  6. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    Many thanks Tristan and Lace - exactly the kind of info we were looking for. I didn't realize they were fundamentally different in approach - assumed cPHulk was just a stripped down firewall, but apparently not. In this case, we'll keep CSF and dig deeper into configuring it for the weird use case we've got here.
     
  7. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    By the way, I would suggest that cPanel should say in big bold letters in the cPHulk documentation:

    Use cPHulk for Brute Force Protection

    Note: cPHulk is NOT a firewall product, and should not be used in lieu of a full-featured firewall. cPHulk is fully compatible with popular cPanel firewall systems.


    In fact, it would be good to put words to that effect directly into the cPHulk UI in WHM. I wonder how many hosts out there are running cPHulk alone, mistakenly thinking that it provides DDoS and other protections.
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello shacker23,

    If you would like the wording changed in our documentation, you may wish to submit a feature request for that change to this location:

    http://go.cpanel.net/iwant

    Thanks!
     
  9. shacker23

    shacker23 Well-Known Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    1
    Trophy Points:
    16
    Good suggestion - done!
     
  10. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Hm.. I might have misunderstood cpHulk or at least had bad experience when it was first introduced. Since that we liked and used CSF with cpHulk disabled. But there is one issue with CSF/LFD. CPU usage. For unknown reason. Probably it is reparsing log files or something like that. I liked approach of cpHulk to use MySQL to store each login attempt. But still CSF/LFD has more wider list of options. Can anyone suggest how to use both products (if this is a good idea) or which of their functions overlaps?

    Anton.
     
Loading...

Share This Page