Disable lfd email alerts for whitelisted IP?

USA_Webmaster

Well-Known Member
Dec 10, 2015
64
10
58
USA
cPanel Access Level
Root Administrator
I was trying to reply to this thread but forums locked old post -- Viewing Successful Root Login Log

---

Hey @cPanelMichael :-D

I just checked WHM >> cPHulk Brute Force Protection Whitelist Management tab for VPS WHMCS IP and it's already listed. Why am I still getting email alert lfg WHM/cPanel root access alert from the whitelisted IPs? In the Configuration Settings tab I scroll to very bottom, and all three checkboxes are checked.

Am I not understanding something correctly? I do not wish to receive lfd email alert from whitelisted IP root logins. Should I uncheck those email boxes, save and restart lfd and cPHulk services?

I'm not using gmail for email alerts, just the self hosted email account that is hosted on the same WHM/cPanel server.

1. Send a notification upon successful root login when the IP address is not on the whitelist
2. Send a notification upon successful root login when the IP address is not on the whitelist, but from a known netblock
3. Send a notification when the system detects a brute force user

Thanks for your attention,

p.s. - I SSH grep "root" /usr/local/cpanel/logs/access_log and everything looks just fine... now... to just get rid of LFD email alerts... :rolleyes:
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
This is not coming from cPanel. It's coming from your lfd configuration. Open the firewall config and look for the ssh alert setting
 
  • Like
Reactions: USA_Webmaster

USA_Webmaster

Well-Known Member
Dec 10, 2015
64
10
58
USA
cPanel Access Level
Root Administrator
Thanks for rapid response and attention buddy...

So your saying that both CSF LFD & cPHulk do the same job in somethings... like alerts in this case? Is one service better than the other... or more superior?

Home » Plugins » ConfigServer Security & Firewall and I clicked Firewall Configuration than click "off" and saved + restarted. Will cPHulk still notify me if I have a security breach in the future? Like someone logs into root NOT on the whitelisted IP?

- Removed -
 
Last edited by a moderator:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,755
316
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
We generally turn off CPHulk when we are using LFD because by and large they overlap a lot. The setting in LFD to turn those notices off is

LF_SSH_EMAIL_ALERT = "0"

However, it does not discriminate between whitelisted IPs or not. The notices are either on or off.
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @USA_Webmaster,

cPHulk and CSF/LFD are two separate applications. cPHulk is included as part of cPanel & WHM and is used to help prevent brute force attacks on the system. CSF/LFD is a third-party firewall management application. There is some overlap, but CSF/LFD performs more than just brute force detection. You can see all of it's features at:

ConfigServer Security & Firewall (csf)

Thank you.
 
  • Like
Reactions: USA_Webmaster

eugenevdm.host

Well-Known Member
Oct 21, 2019
54
6
8
Cape Town
cPanel Access Level
DataCenter Provider
Bump?

@cPanelLauren I would like some official feedback about running multiple firewalls and WHM as it seems redundant and more complex and unscalable if you're running many accounts.

Does GoDaddy use CSF, anyone knows? That is a scalable business and by all accounts they can't be on the phones the whole asking people what their IPs are and unblocking them.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
Hey there, @eugenevdm.host

Previously when this has come up we have always recommended running both:


I'd recommend both even though there is a bit of overlap, but it's really personal preference.

And yes, after working at a hosting provider for many years before I came to cPanel, I promise there are many, many "please unblock my IP" calls :D