IPv6 blocking, country blocking and access

[OETC]

Folks,
This is my first post on this forum. Great information here, can believe I haven't joined this forum till now.

I have had a Dedicated Server for a few years now (running WHM) and never really paid too much mind to security (as I didn't know much about the subject). For someone not of an IT background, many of the acronyms and lingo can get a bit confusing. In any case, I was recently successfully attacked (brute force) and this sparked a requirement to learn more and institute some security on the server over and above what was defaulted.

I have a few questions I am hoping the community can assist with. I have looked through this forum and other sites but can't find the strait answers. I think my questions may be too basic or common knowledge for folks who run servers; hence no discussions on the topics.

1) I want to use cPHulk to block countries from logging into the server as I found a few countries (China and Russia) at the top of the list of attackers of my system. I only log in from Canada so wanted to block all countries in the "Country Blacklist" except Canada; however what I don't know is: When I block a country, am I blocking their access to my servers websites and any services or am I just blocking WHM/CPanel logins?

2) I am in Canada but the server is located in Huston Texas. If I block the US from the Country Blacklist (as many attackers from US), will that cause problems considering the location of the server? And again, will I be denying US IP's access to the websites on the server.

3) I noticed many attackers do not have a country code listed. Their IP's are detailed as all zeros 000:000.. etc or IPv6. Without actual listed IP's or country codes, how could I stop them from brute force attacks. NOTE: I am on a Dynamic IP myself, so cannot just whitelist myself and blacklist others as my IP changes daily.

4) This is a really basic question, I apologies in advance. If I change the username and/or password of my WHM login, will that bugger up any access to other areas of the server, like the Mailman or databases? I am reluctant to change the password for WHM due to the fear I will lock myself out or break the mailman or databases for the packages on the server.

5) I have an SSL certificate that updates annually but everytime I navigate to the WHM login, I am notified of being non secure (non https). I asked my provider (Hostgator) but they are of no assistance. I know this is off topic so don't expect an answer to this.

I have stopped the current attack and have a number of countries blacklisted; shored up the cPHulk configuration to tighten the number of failed attempts. I also changed all email passwords. The emergency is over for now, but I want to configure the system to be more secure going forward.

My apologies for the length of this post and for asking such simplistic question on this forum. Any assistance is appreciated.

 

[::Gomez::]

HI , OETC, welcome to the forum

I´l try to do my best on all of your questions.

1) I want to use cPHulk to block countries from logging into the server as I found a few countries (China and Russia) at the top of the list of attackers of my system. I only log in from Canada so wanted to block all countries in the "Country Blacklist" except Canada; however what I don't know is: When I block a country, am I blocking their access to my servers websites and any services or am I just blocking WHM/CPanel logins?

First of all I would like to make a difference here.. cphulk doesnt works like a firewall... cphulk is just a brute force protection, that will prevent bots from guessing a password. after x ammounts of failed logins it will block the IP. If you decide to block an entire country, this will prevent anyone from that country, to login to cpanel services. that includes FTP/SFTP/SSH/CPANEL/WHM etc... Users from blocked countries will still be able to access your websites normally. When you are inside a blocked country, login will be completely disabled, also when using correct credentials.

2) I am in Canada but the server is located in Huston Texas. If I block the US from the Country Blacklist (as many attackers from US), will that cause problems considering the location of the server? And again, will I be denying US IP's access to the websites on the server..

The answer is yes. I dont recommend you to block the country where your server is hosted at. nor your country.. keep that as "default". you can block the rest if you wont login from that locations. (be sure none of your clients travel to that blocked country list..)

3) I noticed many attackers do not have a country code listed. Their IP's are detailed as all zeros 000:000.. etc or IPv6. Without actual listed IP's or country codes, how could I stop them from brute force attacks. NOTE: I am on a Dynamic IP myself, so cannot just whitelist myself and blacklist others as my IP changes daily.

Usually, cphulkd manages to succesfully block all the brute force attacks/attempts. if you feel that the attacks comming from no sense IPS are not getting blocked, you should consider a more robust cloud solution like bitninja for example.. there are lots out on the market. (bitninja, imunify365, etc...)

4) This is a really basic question, I apologies in advance. If I change the username and/or password of my WHM login, will that bugger up any access to other areas of the server, like the Mailman or databases? I am reluctant to change the password for WHM due to the fear I will lock myself out or break the mailman or databases for the packages on the server.

No, you can change that password safely without having any issue on other services.


- Removed Soliciting Users is Not Permitted -

 

[cPanelMichael]

Hello @OETC,

Welcome to the cPanel Forums!

1) I want to use cPHulk to block countries from logging into the server as I found a few countries (China and Russia) at the top of the list of attackers of my system. I only log in from Canada so wanted to block all countries in the "Country Blacklist" except Canada; however what I don't know is: When I block a country, am I blocking their access to my servers websites and any services or am I just blocking WHM/CPanel logins?

cPhulk monitors the following services for failed login attempts:

• cPanel services (Port 2083).
• WHM services (Port 2087).
• Mail services (Dovecot® and Exim).
• The PureFTPd service.
• Secure Shell (SSH) access.

cPHulk does not monitor Apache (the web server your websites run on) for failed login attempts. The only scenario where it will prevent someone from accessing the websites on your server is if an IP address triggers a brute force protection due to failed login attempts to one of the monitored services and the Block IP addresses at the firewall level if they trigger brute force protection option is enabled in your cPHulk configuration settings.

The Countries Management feature with cPHulk Brute Force Protection lists countries that you can whitelist, blacklist, or remove from either list. The whitelist specifies the IP addresses that cPHulk always allows to log in to your server. The blacklist specifies the IP addresses that cPHulk never allows to log in to your server. It's not actually blocking these IP addresses at the firewall level. Instead, it's used to determine if the login attempt to one of the cPHulk monitored services will succeed.

2) I am in Canada but the server is located in Huston Texas. If I block the US from the Country Blacklist (as many attackers from US), will that cause problems considering the location of the server? And again, will I be denying US IP's access to the websites on the server.

It should not cause problems unless you have valid users attempting to access one of the cPHulk monitored services from a US-based IP address. See the info above regarding access to your websites.

3) I noticed many attackers do not have a country code listed. Their IP's are detailed as all zeros 000:000.. etc or IPv6. Without actual listed IP's or country codes, how could I stop them from brute force attacks. NOTE: I am on a Dynamic IP myself, so cannot just whitelist myself and blacklist others as my IP changes daily.

Here are some links to the GeoIP database cPHulk utilizes if you want to check which country cPHulk will detect for an IP address:

GEO IP Database FAQ
IP to Country Database (IPV4 and IPV6)

Can you share one of the specific IP addresses that does not have a country code listed?

4) This is a really basic question, I apologies in advance. If I change the username and/or password of my WHM login, will that bugger up any access to other areas of the server, like the Mailman or databases? I am reluctant to change the password for WHM due to the fear I will lock myself out or break the mailman or databases for the packages on the server.

Modifying an account username through WHM >> Modify An Account and/or updating the cPanel account's password using WHM >> Password Modification automatically updates all corresponding cPanel & WHM configuration files with the new username/password. This is also applicable to changing the root password using WHM >> Change Root Password.

5) I have an SSL certificate that updates annually but everytime I navigate to the WHM login, I am notified of being non secure (non https). I asked my provider (Hostgator) but they are of no assistance. I know this is off topic so don't expect an answer to this.

Are you using the hostname as the domain in your browser's address bar, or the individual domain?

Thank you.