Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I know if cPanel Brute Force protection is working?

Discussion in 'Security' started by RobinHood, Oct 5, 2017.

Tags:
  1. RobinHood

    RobinHood Registered

    Joined:
    Oct 5, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    I'm getting a lot of people trying to access my server, I've turned on cphulk and checked the box the block IP addresses at the firewall level if they trigger brute force protection.

    These IP's aren't being added to the manual IP blacklist tab though. Is there another list being created somewhere that I can verify these blocked IP's are being added too?

    upload_2017-10-5_10-1-1.png
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can browse to the "History Reports" tab in "WHM >> cPHulk Brute Force Detection" to see a list of failed logins or blocked IP addresses. Additionally, this information is logged at:

    Code:
    /usr/local/cpanel/logs/cphulkd.log
    Note that IP addresses blocked at the firewall level are not visible from within WHM. You'd need to run a command like this to see a list of all IP addresses blocked using iptables:

    Code:
    iptables -L INPUT -v -n
    Thank you.
     
    RobinHood likes this.
  3. RobinHood

    RobinHood Registered

    Joined:
    Oct 5, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Thanks Michael, in the history reports, I have 3k reports, but all of the blocks have an expiration time.

    How can I make it so that they're all permanent or that future blocks are permanent?

    I tried running that command and I don't see a list of blocked IP's there. Could it be because I experimented with installing CSF and then disabled CSF?

    Both CSF and LFD are now disabled so it's back to the way it was before I started looking into this.

    This is what I have in the IP tables, there doesn't seem to be a list of the blocked IP's even though I have

    Maximum Failures per IP Address = 3
    Checked: Block IP addresses at the firewall level if they trigger brute force protection

    Maximum Failures per IP Address before the IP Address is Blocked for One Day = 3
    Checked: Block IP addresses at the firewall level if they trigger a one-day block

    Code:
    root@domain-net [~]# iptables -L INPUT -v -n
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
      230 18941 f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    24126 5843K cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    22872 5772K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    22672 5750K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        8   640 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
        8   480 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
        0     0 ACCEPT     tcp  --  *      *       redacted        0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       redacted         0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       redacted          0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       redacted         0.0.0.0/0           state NEW tcp dpt:22
        1    64 ACCEPT     tcp  --  *      *       redacted        0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       redacted         0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       redacted        0.0.0.0/0           state NEW tcp dpt:22
        5   280 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:1167
        7   280 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 30000:50000
      171 20638 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 
    Thanks
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    In "WHM Home » Security Center » cPHulk Brute Force Protection", under "Configuration Settings", you'd need to enter a command like this for "Command to Run When an IP Address Triggers a One-Day Block" in the "One Day Block" section:

    Code:
    whmapi1 create_cphulk_record list_name=black ip=%remote_ip%
    This will add the IP addresses that are detected for the "One Day Block" settings to the permanent cPHulk black list.

    Yes, it's possible that installing and uninstalling CSF wiped your existing iptables rules.

    Thank you.
     
Loading...

Share This Page