The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPHulk - what am I missing

Discussion in 'General Discussion' started by douglatz, Jan 8, 2008.

  1. douglatz

    douglatz Member

    Joined:
    Oct 15, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    hmmm ... I'm not understanding something. If I have my CPHulk settings set as thus:

    IP Based Brute Force Protection Period in minutes: 90
    Brute Force Protection Period in minutes: 90
    Maximum Failures By Account: 3
    Maximum Failures Per IP: 3
    Maximum Failures Per IP before IP is blocked for two week period: 9
    Extend account lockout time upon additional authentication failures: checked
    Send notification when brute force user is detected: checked

    Why am I seeing entries in my logins like:

    root h-66-166-56-233. system 0 2008-01-08 04:43:14
    root h-66-166-56-233. system 0 2008-01-08 04:43:40
    root h-66-166-56-233. system 0 2008-01-08 04:45:10
    root h-66-166-56-233. system 0 2008-01-08 04:44:04
    root h-66-166-56-233. system 0 2008-01-08 04:44:45
    admin h-66-166-56-233. system 0 2008-01-08 04:45:27
    admin h-66-166-56-233. system 0 2008-01-08 04:45:35
    root h-66-166-56-233. system 0 2008-01-08 04:43:31
    admin h-66-166-56-233. system 0 2008-01-08 04:45:52
    root h-66-166-56-233. system 0 2008-01-08 04:44:29
    root h-66-166-56-233. system 0 2008-01-08 04:44:12
    root h-66-166-56-233. system 0 2008-01-08 04:45:02
    root h-66-166-56-233. system 0 2008-01-08 04:43:48
    root h-66-166-56-233. system 0 2008-01-08 04:44:54
    admin h-66-166-56-233. system 0 2008-01-08 04:45:44
    root h-66-166-56-233. system 0 2008-01-08 04:43:56
    admin h-66-166-56-233. system 0 2008-01-08 04:45:19
    root h-66-166-56-233. system 0 2008-01-08 04:43:23
    admin h-66-166-56-233. system 0 2008-01-08 04:46:00
    root h-66-166-56-233. system 0 2008-01-08 04:44:21
    root h-66-166-56-233. system 0 2008-01-08 04:44:37
    admin h-66-166-56-233. system 0 2008-01-08 04:46:11

    22 attempts in 3 minutes - all from the same IP address. This IP should now be on a two week lock-down, right?
     
  2. douglatz

    douglatz Member

    Joined:
    Oct 15, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Anyone have any ideas?
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    We have a similiar problem on our freebsd boxes (not sure if its o/s related). We often see alot of bot related ftp attacks. Dictionary attacks of all our ip ranges every few days, its not overwhelming to the machines or network but they come up on the console from pure-ftp and I get the same emails from cphulk about Massive amount of failures from IP and the email will show the login names they used but nothing gets done about it, we can see it go for hours sometimes and dozens or more of the emails get sent to me about this from cpanel/cphulk.

    My feeling is something is broken in Cphulk and it might think its doing the blocking but its not. I have to manually go to the machines and block them with ipfw or kill and restart pureftp as the bots will give up if its down for a few seconds.
     
  4. louish

    louish Member

    Joined:
    Feb 2, 2006
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    3
    I have this same problem on 6 servers all running WHM and Cpanel. Even when I add the IP Address to the hosts.deny and then also deny them from the hosts.allow, I still get repeated login attempts every 5 minutes.
     
  5. agentblack

    agentblack Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Indiana
    i have this same problem, however, its LOCKING OUT the Root account to where i cant get in.. because of the amount of attacks i have been getting, i have found that its easiest to block any IP range that is not USA based.

    I have had several attacks the past few days from china and latin america. I blocked the entire IP address range, and the attacks have slowed, however now im getting them from elsewhere.

    any idea on how to configure cpanel to block the IP and not lock the root account?
     
  6. the Eych

    the Eych Registered

    Joined:
    May 18, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Here is what you are missing

    I actually had to dig deep in the cpHulk's Perl code to understand this myself. You are missing what these two settings actually mean:

    The first setting is used to find previous attempts, in your case it will look back for 90 minutes in the attempts table and will calculate how many failed attempts the same IP had in this 90 minutes period.

    If that's a new IP that was not blocked already it will have a maximum of "Maximum Failures Per IP" attempts and will be blocked for "Brute Force Protection Period in minutes" minutes. In your case for 90 minutes.

    After 90 minutes will pass and the same IP will be trying again, the logic will look again back for 90 minutes and since during this period IP was blocked it won't find any attempts and effectively start counting the new attempts from scratch.

    It's a weird logic in cPhulk itself, but you can easily fix this if you will set "IP Based Brute Force Protection Period in minutes" (for how many minutes to look back in the attempts table to find failed attempts from the same IP) several times higher then "Brute Force Protection Period in minutes". The period in the first setting should cover the period in the second setting (the time when the IP had no attempts logged because it was blocked) and then add some more to actually find attempts before that.

    In your case I'd suggest something like:

    IP Based Brute Force Protection Period in minutes: 90
    Brute Force Protection Period in minutes: 30

    If this won't work as expected just try to make the difference between the two settings even bigger.
     
  7. keddie

    keddie Well-Known Member

    Joined:
    Nov 17, 2007
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Try LFD instead

    I experimented with CPHulk about a year ago and didn't have a great experience. I now use the config server Login Failure Daemon (LFD) in conjunction with the CSF firewall. It's a free script and it's superb!

    http://www.configserver.com/cp/csf.html
     
Loading...

Share This Page