The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPHulk whitelist syntax, list of services affected, clearing

Discussion in 'Security' started by pthirose, Mar 31, 2010.

  1. pthirose

    pthirose Member

    Joined:
    Mar 30, 2010
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    What is the syntax for whitelisting? Can it be a a network address as in 1.2.3.0/24? Or is it only singular IP addresses? Apparently, I can also enter a hostname. If a hostname has multiple IP addresses, how does that work? I'm guessing cPHulk either does a forward lookup on the hostname and then sees if the IP address of the source of the incoming connection matches, and/or does a reverse lookup on the IP address to see if it matches a name in the whitelist?

    Separately, what login methods are blocked by cPHulk? Is it just the web login via port 2087 and 2083? Does it affect FTP, SSH, telnet, etc methods of logging in to the box?

    Finally, the docs clearly show a URL I can call to clear out (presumably all) the blocked IPs (.../scripts2/doautofixer?autofix=disable_cphulkd). Does this imply that anyone who actually knows to use this URL, could clear the blocked IP list w/out authenticating anyway?

    Thank you,
    PH
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Are you referring to the cPHulk whitelist "Trusted IPs"? Given the information provided by the documentation versus the newer wording used in WHM I have submitted an internal inquiry to obtain further clarification on your behalf. I will update this thread with any new information received. For reference, the tracking number assigned to this inquiry is case 39598.

    To the best of my knowledge cPHulk will apply to system users, virtual FTP user accounts, and e-mail accounts, including login attempts via cPanel, WHM, Webmail, Web Disk, IMAP and POP (via Dovecot or Courier), SMTP (via Exim), FTP (via Pure-FTPd or ProFTPd), and SSH/SFTP (via sshd).

    Authentication is required before using WHM; this also includes API requests as well as direct requests to specific auto-fixer or auto-repair scripts.
     
    #2 cPanelDon, Apr 1, 2010
    Last edited: Aug 24, 2010
  3. pthirose

    pthirose Member

    Joined:
    Mar 30, 2010
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1

    I'm sorry, yes. The Trusted IP list.


    Ah. But if the root user (or whatever user(s) allowed to run the script) are blocked from logging in because of cPHulk, then this script still can't be run. And if I could login, then I don't specifically need that particular auto-fixer script, since wouldn't Main >> Security Center >> cPHulk Brute Force Protection >> Flush DB essentially do the same thing? Or does the auto-fixer script do something different?

    The auto-fixer script was given as a URL, and I haven't found its equivalent for the command line, if the user were able to login via ssh. But since cPHulk also blocks ssh logins, I'm not sure. I suppose any user still ssh-able would be able to directly tap into the MySQL database for cPHulk and/or run the script from the shell. Although I'm guessing one must be root to run the script from the shell.


    Thank you,
    PH
     
  4. density5

    density5 Member

    Joined:
    Aug 9, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Is there an update on this? I really need to know as we connect to our dedicated server from a dynamic IP.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    In its current form, the auto-fixer, disable_cphulkd, will attempt to remove an entry containing "pam_hulk.so" from the system-auth PAM configuration (at "/etc/pam.d/system-auth").

    Here is the command-line (CLI) equivalent to running the auto-fixer in WHM that may be used via root SSH or console access:
    Code:
    # /scripts/autorepair disable_cphulkd
    For clarification, the name of an auto-repair AKA auto-fixer script, such as disable_cphulkd, can be entered via the following URI in WebHost Manager:
    Code:
    /scripts2/autofixer
    If security (session) tokens are enabled, the aforementioned WHM URI must be placed after the session token in the URL, like in the following example:
    Code:
    https://$host:2087/cpsess0123456789/scripts2/autofixer
    If the specific IP address you're accessing from is blocked, you may need to either contact your upstream data center to assist via direct console access, use remote KVM or KVM over IP access, or connect from a different originating IP address that is not blocked.
     
    #5 cPanelDon, Aug 24, 2010
    Last edited: Aug 24, 2010
  6. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To explicitly clarify, you may input entries that conform to the following syntax, as exhibited by each example:
    • An IP address range in CIDR notation
      Example:
      Code:
      10.0.0.0/8
    • An IP address
      Example:
      Code:
      192.168.1.1
    • An IPv6 address
      Example:
      Code:
      3ffe:1900:4545:3:200:f8ff:fe21:67cf

    The configuration area in WHM for cPHulk Brute Force Protection has been overhauled and now includes example entries, as seen above, showing proper syntax. These enhancements are in an upcoming release, that of cPanel 11.25.1, AKA cPanel 11.28, and are currently available using the cPanel EDGE release tier; in due course the new version will make its way to other release tiers including CURRENT, RELEASE, and then STABLE.
     
  7. DeepCover

    DeepCover Registered

    Joined:
    Jan 9, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    So that I am clear: If I blacklist IP addresses or CIDRs under CPHulk Brute Force Protection > Whitelist/Blacklist, will web visitors still be able to access all the public websites on port 80?

    If my understanding is correct, the IPs blacklisted under CPHulk will not be able to log-in anywhere to any services such as CPanel, WHM, mail, FTP, and the like, but they can still visit the websites on the server.

    Thanks very much.
     
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Yes; I believe that your understanding is correct. cPHulk Brute Force Protection affects whether or not login attempts result in success or failure. With cPHulk enabled, if a login attempt is from an IP address that is blacklisted in cPHulk then the attempted login will not result in successful authentication.
     
  9. DeepCover

    DeepCover Registered

    Joined:
    Jan 9, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Don, I very much appreciate your response. I am far from an expert on Linux or WHM.

    We are running CPanel/WHM on a company server, and only a few of our employees need log-in privileges. It is a private company server, and we do not sell CPanel accounts to the public.

    Our server gets quite a bit of Brute Force hack attempts from China and other countries, but I do not want to block traffic to websites while making the server more secure.

    Ideally, I would like to whitelist the few IP address that need log-in access, and then blacklist the rest of the planet, all while not blocking any normal website traffic.

    Is there a single IP range, perhaps using wildcards (*), or some other single line of code, that I can place in the CPHulk Blacklist and that would block all other IPs on the planet? (Or, would I need to enter every IP range such as 117.0.0.0/8?)

    Again, thanks, Don.
     
  10. density5

    density5 Member

    Joined:
    Aug 9, 2010
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    If it turns out that's what you need to do, the site Country IP Blocks is very helpful for generating tailored ranges in various formats.
     
Loading...

Share This Page