Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulk warnings/auto-block suspended accounts

Discussion in 'Security' started by Mugoma, Apr 7, 2017.

Tags:
  1. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We have cpHulk enabled and have been having no problem till after last update.

    Before last update it was triggering warnings and/or auto-block only active accounts. But now it does even for suspended accounts.

    The waning message seems ti have also changed. Before last update the waning email was titled "Large Number of Failed Login Attempts from <IP>". Now it's titled "Excessive Number of Failed Login Attempts from <IP> (<COUNTRY>:<COUNTRY_CODE>)"

    The problem with this is that several users either forget to renew or just take time to renew causing their accounts to be suspended, but some of them still attempt to use their accounts even after suspension. In such cases we consider cpHulk warnings and/or auto-block as FALSE alarms.

    Since most users are on shared IP and if an IP is blocked many users get affected.

    Is it possible to have cpHulk warnings/auto-block only on active accounts as before? This way we'll be handling only really brute force attacks. Otherwise currently we get many FALSE alarms due to checks on suspended accounts.

    Since we considered a suspended account not usable we don't see this as a major risk.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you clarify which version of cPanel you updated from, and which version of cPanel you updated to? I can't find any information showing that cPHulk ever excluded suspended accounts from the brute force protection mechanism.

    Have you considered enabling username-based protection only, and disabling IP-based protection? This will lock out the username only, rather than locking the IP address making the failed authentication attempt.

    Thank you.
     
  3. Mugoma

    Mugoma Well-Known Member

    Joined:
    Aug 1, 2016
    Messages:
    74
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    Hello,

    The updates are automatic, so can't tell version from/to. But it started about a month or so ago.

    My argument about excluding/including suspended accounts was just a guess. The main contention is that we are receiving many false warnings and a large portion is from suspended accounts.

    We tried username-based protection awhile back but it ended up being an inconvenience to (genuine) users. So, we stopped it.

    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you elaborate on this a little more? For instance, do you have multiple customers making connections to the server from the same IP address (e.g. the customers are all using a proxy or connecting from the same physical location)? If so, have you considered adding that IP address to the cPHulk Whitelist?

    Thank you.
     
Loading...

Share This Page