The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

have slipped through the cPHulk Brute Force Protection?

Discussion in 'Security' started by toyama, Oct 4, 2012.

  1. toyama

    toyama Member

    Joined:
    Jun 17, 2011
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hello.

    I have created a network address in order to block a persistent spammer spammer is using "Blocked IPs" of "cPHulk Brute Force Protection".
    If you watch the cphulkd.log, looks like a log similar to the following is output, is blocking.

    ----------------------- cphulkd.log -----------------------
    Thu Oct 4 16:09:31 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:33 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:35 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    Thu Oct 4 16:09:37 2012 [info] Connection service=system ip=xxx.x.42.19 port= user=harris blocked by cphulkd (IP Address is blacklisted matched xxx.x.0.0/14)
    ----------------------- cphulkd.log -----------------------

    However, logs from the IP that should have been blocked to exim_mainlog is being output.

    ----------------------- exim_mainlog -----------------------
    2012-10-04 16:09:31 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:33 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:35 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:37 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    2012-10-04 16:09:39 dovecot_login authenticator failed for ([192.168.2.33]) [xxx.x.42.19]:3021: 535 Incorrect authentication data (set_id=harris)
    ----------------------- exim_mainlog -----------------------


    This, cPHulk Brute Force Protection is not running?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPHulk will not actually block IP addresses from accessing your server. Instead, it's used to prevent authentication to the services it monitors. You will need to use a firewall to actually block an IP address from your server. Many users report a good experience using a third-party firewall called CSF:

    Config Server Firewall

    Thank you.
     
  3. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm seeing 100's of these 'access attempts' lately as well.. all reporting as different ISP IPs but all with the 192.168.2.33 local IP.

    Is this some exploit out in the wild?

    Can we stop it?

    How would we block it in lets say CSF firewall?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Same here. Something's up.
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    As for blocking the spoofed IP, just block the 192.168.2.0/24 range for INPUT chain to your server either in CSF or in iptables directly if you aren't using CSF. As for how to do that, CSF has options in WHM > Plugins > ConfigServer Security&Firewall area on blocking.
     
Loading...

Share This Page