have slipped through the cPHulk Brute Force Protection?

toyama

Member
Jun 17, 2011
21
1
53
Hello.

I have created a network address in order to block a persistent spammer spammer is using "Blocked IPs" of "cPHulk Brute Force Protection".
If you watch the cphulkd.log, looks like a log similar to the following is output, is blocking.

----------------------- cphulkd.log -----------------------
Thu Oct 4 16:09:31 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
Thu Oct 4 16:09:33 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
Thu Oct 4 16:09:35 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
Thu Oct 4 16:09:37 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
----------------------- cphulkd.log -----------------------

However, logs from the IP that should have been blocked to exim_mainlog is being output.

----------------------- exim_mainlog -----------------------
2012-10-04 16:09:31 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
2012-10-04 16:09:33 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
2012-10-04 16:09:35 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
2012-10-04 16:09:37 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
2012-10-04 16:09:39 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
----------------------- exim_mainlog -----------------------


This, cPHulk Brute Force Protection is not running?

Thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

cPHulk will not actually block IP addresses from accessing your server. Instead, it's used to prevent authentication to the services it monitors. You will need to use a firewall to actually block an IP address from your server. Many users report a good experience using a third-party firewall called CSF:

Config Server Firewall

Thank you.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
As for blocking the spoofed IP, just block the 192.168.2.0/24 range for INPUT chain to your server either in CSF or in iptables directly if you aren't using CSF. As for how to do that, CSF has options in WHM > Plugins > ConfigServer Security&Firewall area on blocking.