Disable lfd email alerts for whitelisted IP?

[USA_Webmaster]

I was trying to reply to this thread but forums locked old post -- Viewing Successful Root Login Log

---

Hey @cPanelMichael

I just checked WHM >> cPHulk Brute Force Protection Whitelist Management tab for VPS WHMCS IP and it's already listed. Why am I still getting email alert lfg WHM/cPanel root access alert from the whitelisted IPs? In the Configuration Settings tab I scroll to very bottom, and all three checkboxes are checked.

Am I not understanding something correctly? I do not wish to receive lfd email alert from whitelisted IP root logins. Should I uncheck those email boxes, save and restart lfd and cPHulk services?

I'm not using gmail for email alerts, just the self hosted email account that is hosted on the same WHM/cPanel server.

1. Send a notification upon successful root login when the IP address is not on the whitelist
2. Send a notification upon successful root login when the IP address is not on the whitelist, but from a known netblock
3. Send a notification when the system detects a brute force user

Thanks for your attention,

p.s. - I SSH grep "root" /usr/local/cpanel/logs/access_log and everything looks just fine... now... to just get rid of LFD email alerts...

 

[GOT]

This is not coming from cPanel. It's coming from your lfd configuration. Open the firewall config and look for the ssh alert setting

 

[USA_Webmaster]

Thanks for rapid response and attention buddy...

So your saying that both CSF LFD & cPHulk do the same job in somethings... like alerts in this case? Is one service better than the other... or more superior?

Home » Plugins » ConfigServer Security & Firewall and I clicked Firewall Configuration than click "off" and saved + restarted. Will cPHulk still notify me if I have a security breach in the future? Like someone logs into root NOT on the whitelisted IP?

- Removed -

 

[GOT]

We generally turn off CPHulk when we are using LFD because by and large they overlap a lot. The setting in LFD to turn those notices off is

LF_SSH_EMAIL_ALERT = "0"

However, it does not discriminate between whitelisted IPs or not. The notices are either on or off.

 

[cPanelMichael]

Hello @USA_Webmaster,

cPHulk and CSF/LFD are two separate applications. cPHulk is included as part of cPanel & WHM and is used to help prevent brute force attacks on the system. CSF/LFD is a third-party firewall management application. There is some overlap, but CSF/LFD performs more than just brute force detection. You can see all of it's features at:

ConfigServer Security & Firewall (csf)

Thank you.

 

[eugenevdm.host]

@cPanelMichael,

Do you agree with the one user here if one uses CSF that cPHulk should be switched off? I'm finding I have to do lots of overlapping administration running both.

 

[eugenevdm.host]

Bump?

@cPanelLauren I would like some official feedback about running multiple firewalls and WHM as it seems redundant and more complex and unscalable if you're running many accounts.

Does GoDaddy use CSF, anyone knows? That is a scalable business and by all accounts they can't be on the phones the whole asking people what their IPs are and unblocking them.

 

[cPRex]

Hey there, @eugenevdm.host

Previously when this has come up we have always recommended running both:

SOLVED - cPHulk with CSF?

I want to make 2 questions: 1- Is good tactic to have both cPHulk and CSF enable? I setup csf to block SMTP, IMAP, POP3 attempts! So is good choice to have also cPHulk run? 2- If cPHulk blogs a bruteforce attack for an email is possible no one (include legitimate users) can't login to emails...

forums.cpanel.net

SOLVED - Using cPHulk and CSF Together?

Decided to turn on CpHulk today as we just used CSF mainly and found cpHulk blocking some brute force attacks that CSF is not finding. Looks like it improved alot. Do you guys recommend we still stick with CSF and just find the cause or is using both better now? or just cphulk Lastly here is...

forums.cpanel.net

More about using cPhulk with CSF/LFD together

Quoting from an old thread that can no longer accept new posts at SOLVED - Using cPHulk and CSF Together? Naaa just started it. No changes whatsoever. I'm thinking of adding this to command text "csf --tempdeny %remote_ip% 3600" Then when bruteforce is picked up with Cphulk it does not block...

forums.cpanel.net

I'd recommend both even though there is a bit of overlap, but it's really personal preference.

And yes, after working at a hosting provider for many years before I came to cPanel, I promise there are many, many "please unblock my IP" calls :D