SOLVED How does blacklisting countries in cphulk work ?

[Markif]

Hello

here : CLOUDLINUX 7.5 standard [is30] v70.0.51 with CSF/LFD
due to non-stop brute-force on email-accounts, I've activated CPHulk and used the new tab "Countries Management" and did set a country to "blacklisted" : OK.
But looking at the maillog, and the LFD blocking actions on imapd failures, I still see this failures comes from the country that I blacklisted in CPHulk / Countries Management.

So I dont understand what is doing the country "blacklisting" from CPHulk : does it inhibit an IP from a country to connect to a mailservice (as I expect) or does it something else ?
I would expect that if you blacklist a country in CPHulk, then the IPs of that country could *not* access the mailservices anymore.
Or does it have as effect that they still *can* connect, but that there connection will always fail (so LFD will always endup up blocking them ?)

Thanks for clarification.
Marco

 

[rpvw]

I use both cPHulk and CSF/LFD and there are defiantly differences between the two applications as to where they think an IP comes from.

I know that CSF/LFD use MaxMind GeoLite2 databases, and I personally have set it to update every 14 days.

Now I see eg IPs that LFD thinks is on the UK, being flagged as being in Germany by cPHulk.

I did ask in another post on this forum if cPanel would disclose what geo-location database is being used by cPHulk, and how often it was updated ...... but I don't think it was ever answered.

Don't forget that cPHulk blacklisting (IP or Country) will only block attempts to log in to your server (any of the services) but it does not block the IP from connecting and trying.

 

[cPanelMichael]

Hello Marco,

The Countries Management feature with cPHulk Brute Force Protection lists countries that you can whitelist, blacklist, or remove from either list. The whitelist specifies the IP addresses that cPHulk always allows to log in to your server. The blacklist specifies the IP addresses that cPHulk never allows to log in to your server. It's not actually blocking these IP addresses at the firewall level. Instead, it's used to determine if the login attempt will succeed.

Thank you.

 

[lwt]

Hello Marco,

The Countries Management feature with cPHulk Brute Force Protection lists countries that you can whitelist, blacklist, or remove from either list. The whitelist specifies the IP addresses that cPHulk always allows to log in to your server. The blacklist specifies the IP addresses that cPHulk never allows to log in to your server. It's not actually blocking these IP addresses at the firewall level. Instead, it's used to determine if the login attempt will succeed.

Thank you.

Hi cPanelMichael

So if I am certain that I only login to the Server from US, so can I safely conclude that I can Blacklist all Countries except US?

If user were to travel overseas to say Austria and that Austria is currently being blacklisted in the Countries Management in cPHulk, can the user currently in Austria able to login with his/her credential into cPanel as well as access to his/her email?

Thanks.

 

[rpvw]

So if I am certain that I only login to the Server from US, so can I safely conclude that I can Blacklist all Countries except US?

It is not only you that would be limited to logins only from the US, but all your customers as well.

If user were to travel overseas to say Austria and that Austria is currently being blacklisted in the Countries Management in cPHulk, can the user currently in Austria able to login with his/her credential into cPanel as well as access to his/her email?

cPHulk blocks the following logins

• cPanel services (Port 2083).
• WHM services (Port 2087).
• Mail services (Dovecot and Exim).
• The PureFTPd service.
• Secure Shell (SSH) access.

If you have blocked all country access other than from the US, when your US customer travels to Austria, they would be blocked from logging into any of the services listed above.

Full details from cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation

 

[lwt]

It is not only you that would be limited to logins only from the US, but all your customers as well.

cPHulk blocks the following logins

• cPanel services (Port 2083).
• WHM services (Port 2087).
• Mail services (Dovecot and Exim).
• The PureFTPd service.
• Secure Shell (SSH) access.

If you have blocked all country access other than from the US, when your US customer travels to Austria, they would be blocked from logging into any of the services listed above.

Full details from cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation

Hi rpvw.

Thank you for your detail explanation.

 

[RobinHood]

Is there a built in feature in WHM to completely block all access to sites hosted on the server from certain countries?

I have all countries blacklisted bar mine for CPHulk, which is great for the server login and services. But I'd like to also completely block visitors to my sites from a selection of countries.

What's the easiest way to do this?

Thanks

 

[rpvw]

Is there a built in feature in WHM to completely block all access to sites hosted on the server from certain countries?

I don't know of one that is built into WHM.

You can achieve what you want using the CSF firewall - do a Google search for How to Block or Allow Specific Ports by Country in the CSF Firewall for further examples and instructions.

Do be careful about blocking countries that you might need to receive system and software updates from !!!