cpHulk warnings/auto-block suspended accounts

Mugoma

Well-Known Member
Aug 1, 2016
74
4
8
Nairobi
cPanel Access Level
Root Administrator
We have cpHulk enabled and have been having no problem till after last update.

Before last update it was triggering warnings and/or auto-block only active accounts. But now it does even for suspended accounts.

The waning message seems ti have also changed. Before last update the waning email was titled "Large Number of Failed Login Attempts from <IP>". Now it's titled "Excessive Number of Failed Login Attempts from <IP> (<COUNTRY>:<COUNTRY_CODE>)"

The problem with this is that several users either forget to renew or just take time to renew causing their accounts to be suspended, but some of them still attempt to use their accounts even after suspension. In such cases we consider cpHulk warnings and/or auto-block as FALSE alarms.

Since most users are on shared IP and if an IP is blocked many users get affected.

Is it possible to have cpHulk warnings/auto-block only on active accounts as before? This way we'll be handling only really brute force attacks. Otherwise currently we get many FALSE alarms due to checks on suspended accounts.

Since we considered a suspended account not usable we don't see this as a major risk.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello,

Could you clarify which version of cPanel you updated from, and which version of cPanel you updated to? I can't find any information showing that cPHulk ever excluded suspended accounts from the brute force protection mechanism.

Have you considered enabling username-based protection only, and disabling IP-based protection? This will lock out the username only, rather than locking the IP address making the failed authentication attempt.

Thank you.
 

Mugoma

Well-Known Member
Aug 1, 2016
74
4
8
Nairobi
cPanel Access Level
Root Administrator
Hello,

The updates are automatic, so can't tell version from/to. But it started about a month or so ago.

My argument about excluding/including suspended accounts was just a guess. The main contention is that we are receiving many false warnings and a large portion is from suspended accounts.

We tried username-based protection awhile back but it ended up being an inconvenience to (genuine) users. So, we stopped it.

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Since most users are on shared IP and if an IP is blocked many users get affected.
Hello,

Could you elaborate on this a little more? For instance, do you have multiple customers making connections to the server from the same IP address (e.g. the customers are all using a proxy or connecting from the same physical location)? If so, have you considered adding that IP address to the cPHulk Whitelist?

Thank you.
 
Thread starter Similar threads Forum Replies Date
N Security 1
X Security 1
Z Security 4
Spirogg Security 4
I Security 1