How to reference IP, ISP, data from cpHulk brute force emails in a command to append offenders to a csv list


Jun 18, 2019
cPanel Access Level
Root Administrator
I would like to append offending IPs to a csv list with the same data that is sent by cpHulkd warning emails so that I can later import offenders.csv in excel, sort it and report the abuse. Has anyone tried that? I would put the command in the cphulk interface for when an ip ban is triggered.

I was thinking something like this but I lack knowledge of the proper variable names, if they exist at all...

echo "$TRIGGER_TIME;$IP;$ISP;$REVERSE_DNS" >> /root/offenders.csv

I would also like to rotate the log file each month, but no clue as how to do that...

Thanks in advance!


Product Owner
Staff member
Nov 14, 2017
The variables that can be used are:

The following variables may be used in commands:

%exptime% - The Unix time when brute force protection will release the block
%max_allowed_failures% - Maximum allowed failures to trigger this type (excessive or non-excessive failures)
%current_failures% - Number of current failures
%excessive_failures% - 0 (not an excessive login failure) or 1 (an excessive login failure)
%reason% - The reason for the block
%remote_ip% - The blocked IP address
%authservice% - The last service to request authentication (for example, webmaild)
%user% - The last username to request authentication
%logintime% - The time of the request
%ip_version% - The IP version (4 or 6)
%logintime% would be $TRIGGER_TIME
would be $IP
$ISP and $REVERSE_DNS wouldn't be variables available. You could probably write something that did lookups for those since all you'd need is the IP address to do so.

For log rotation WHM>>Service Configuration>>cPanel Log Rotation Configuration you can select logs to be rotated (cPanel specific log files) then in WHM>>Server Configuratoin>>Tweak Settings you can set the size threshold at which you'd want the logs to be rotated.


Well-Known Member
Nov 20, 2014
cPanel Access Level
Root Administrator
Personally, I wouldn't bother reporting the abuse.
You'll be at this for the rest of your life, your own personal time is more important.

Install CSF firewall and let the firewall do all the hard wotk for you.
CSF firewall also has a number of live lists of bad IP's that you can facilitate.