Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

have slipped through the cPHulk Brute Force Protection?

Discussion in 'Security' started by toyama, Oct 4, 2012.

  1. toyama

    toyama Member

    Joined:
    Jun 17, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    Hello.

    I have created a network address in order to block a persistent spammer spammer is using "Blocked IPs" of "cPHulk Brute Force Protection".
    If you watch the cphulkd.log, looks like a log similar to the following is output, is blocking.

    ----------------------- cphulkd.log -----------------------
    Thu Oct 4 16:09:31 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:33 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:35 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:37 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    ----------------------- cphulkd.log -----------------------

    However, logs from the IP that should have been blocked to exim_mainlog is being output.

    ----------------------- exim_mainlog -----------------------
    2012-10-04 16:09:31 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:33 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:35 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:37 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:39 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    ----------------------- exim_mainlog -----------------------


    This, cPHulk Brute Force Protection is not running?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPHulk will not actually block IP addresses from accessing your server. Instead, it's used to prevent authentication to the services it monitors. You will need to use a firewall to actually block an IP address from your server. Many users report a good experience using a third-party firewall called CSF:

    Config Server Firewall

    Thank you.
     
  3. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    399
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing 100's of these 'access attempts' lately as well.. all reporting as different ISP IPs but all with the 192.168.2.33 local IP.

    Is this some exploit out in the wild?

    Can we stop it?

    How would we block it in lets say CSF firewall?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,745
    Likes Received:
    312
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Same here. Something's up.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,622
    Likes Received:
    26
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    As for blocking the spoofed IP, just block the 192.168.2.0/24 range for INPUT chain to your server either in CSF or in iptables directly if you aren't using CSF. As for how to do that, CSF has options in WHM > Plugins > ConfigServer Security&Firewall area on blocking.
     
Loading...

Share This Page