Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

have slipped through the cPHulk Brute Force Protection?

Discussion in 'Security' started by toyama, Oct 4, 2012.

  1. toyama

    toyama Member

    Joined:
    Jun 17, 2011
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    53
    Hello.

    I have created a network address in order to block a persistent spammer spammer is using "Blocked IPs" of "cPHulk Brute Force Protection".
    If you watch the cphulkd.log, looks like a log similar to the following is output, is blocking.

    ----------------------- cphulkd.log -----------------------
    Thu Oct 4 16:09:31 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:33 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:35 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:37 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    ----------------------- cphulkd.log -----------------------

    However, logs from the IP that should have been blocked to exim_mainlog is being output.

    ----------------------- exim_mainlog -----------------------
    2012-10-04 16:09:31 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:33 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:35 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:37 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:39 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    ----------------------- exim_mainlog -----------------------


    This, cPHulk Brute Force Protection is not running?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    cPHulk will not actually block IP addresses from accessing your server. Instead, it's used to prevent authentication to the services it monitors. You will need to use a firewall to actually block an IP address from your server. Many users report a good experience using a third-party firewall called CSF:

    Config Server Firewall

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    404
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing 100's of these 'access attempts' lately as well.. all reporting as different ISP IPs but all with the 192.168.2.33 local IP.

    Is this some exploit out in the wild?

    Can we stop it?

    How would we block it in lets say CSF firewall?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,468
    Likes Received:
    420
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Same here. Something's up.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    As for blocking the spoofed IP, just block the 192.168.2.0/24 range for INPUT chain to your server either in CSF or in iptables directly if you aren't using CSF. As for how to do that, CSF has options in WHM > Plugins > ConfigServer Security&Firewall area on blocking.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice