Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

IPv6 blocking, country blocking and access

Discussion in 'Security' started by OETC, Apr 12, 2019.

Tags:
  1. OETC

    OETC Registered

    Joined:
    Apr 12, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hamilton Canada
    cPanel Access Level:
    Root Administrator
    Folks,
    This is my first post on this forum. Great information here, can believe I haven't joined this forum till now.

    I have had a Dedicated Server for a few years now (running WHM) and never really paid too much mind to security (as I didn't know much about the subject). For someone not of an IT background, many of the acronyms and lingo can get a bit confusing. In any case, I was recently successfully attacked (brute force) and this sparked a requirement to learn more and institute some security on the server over and above what was defaulted.

    I have a few questions I am hoping the community can assist with. I have looked through this forum and other sites but can't find the strait answers. I think my questions may be too basic or common knowledge for folks who run servers; hence no discussions on the topics.

    1) I want to use cPHulk to block countries from logging into the server as I found a few countries (China and Russia) at the top of the list of attackers of my system. I only log in from Canada so wanted to block all countries in the "Country Blacklist" except Canada; however what I don't know is: When I block a country, am I blocking their access to my servers websites and any services or am I just blocking WHM/CPanel logins?

    2) I am in Canada but the server is located in Huston Texas. If I block the US from the Country Blacklist (as many attackers from US), will that cause problems considering the location of the server? And again, will I be denying US IP's access to the websites on the server.

    3) I noticed many attackers do not have a country code listed. Their IP's are detailed as all zeros 000:000.. etc or IPv6. Without actual listed IP's or country codes, how could I stop them from brute force attacks. NOTE: I am on a Dynamic IP myself, so cannot just whitelist myself and blacklist others as my IP changes daily.

    4) This is a really basic question, I apologies in advance. If I change the username and/or password of my WHM login, will that bugger up any access to other areas of the server, like the Mailman or databases? I am reluctant to change the password for WHM due to the fear I will lock myself out or break the mailman or databases for the packages on the server.

    5) I have an SSL certificate that updates annually but everytime I navigate to the WHM login, I am notified of being non secure (non https). I asked my provider (Hostgator) but they are of no assistance. I know this is off topic so don't expect an answer to this.

    I have stopped the current attack and have a number of countries blacklisted; shored up the cPHulk configuration to tighten the number of failed attempts. I also changed all email passwords. The emergency is over for now, but I want to configure the system to be more secure going forward.

    My apologies for the length of this post and for asking such simplistic question on this forum. Any assistance is appreciated.
     
  2. ::Gomez::

    ::Gomez:: Member

    Joined:
    Oct 13, 2003
    Messages:
    22
    Likes Received:
    3
    Trophy Points:
    153
    Location:
    Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    HI , OETC, welcome to the forum :)

    I´l try to do my best on all of your questions.

    First of all I would like to make a difference here.. cphulk doesnt works like a firewall... cphulk is just a brute force protection, that will prevent bots from guessing a password. after x ammounts of failed logins it will block the IP. If you decide to block an entire country, this will prevent anyone from that country, to login to cpanel services. that includes FTP/SFTP/SSH/CPANEL/WHM etc... Users from blocked countries will still be able to access your websites normally. When you are inside a blocked country, login will be completely disabled, also when using correct credentials.





    The answer is yes. I dont recommend you to block the country where your server is hosted at. nor your country.. keep that as "default". you can block the rest if you wont login from that locations. (be sure none of your clients travel to that blocked country list..)

    Usually, cphulkd manages to succesfully block all the brute force attacks/attempts. if you feel that the attacks comming from no sense IPS are not getting blocked, you should consider a more robust cloud solution like bitninja for example.. there are lots out on the market. (bitninja, imunify365, etc...)

    No, you can change that password safely without having any issue on other services.


    - Removed Soliciting Users is Not Permitted -
     
    #2 ::Gomez::, Apr 16, 2019
    Last edited by a moderator: Apr 17, 2019
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,534
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @OETC,

    Welcome to the cPanel Forums!

    cPhulk monitors the following services for failed login attempts:
    • cPanel services (Port 2083).
    • WHM services (Port 2087).
    • Mail services (Dovecot® and Exim).
    • The PureFTPd service.
    • Secure Shell (SSH) access.
    cPHulk does not monitor Apache (the web server your websites run on) for failed login attempts. The only scenario where it will prevent someone from accessing the websites on your server is if an IP address triggers a brute force protection due to failed login attempts to one of the monitored services and the Block IP addresses at the firewall level if they trigger brute force protection option is enabled in your cPHulk configuration settings.

    The Countries Management feature with cPHulk Brute Force Protection lists countries that you can whitelist, blacklist, or remove from either list. The whitelist specifies the IP addresses that cPHulk always allows to log in to your server. The blacklist specifies the IP addresses that cPHulk never allows to log in to your server. It's not actually blocking these IP addresses at the firewall level. Instead, it's used to determine if the login attempt to one of the cPHulk monitored services will succeed.

    It should not cause problems unless you have valid users attempting to access one of the cPHulk monitored services from a US-based IP address. See the info above regarding access to your websites.

    Here are some links to the GeoIP database cPHulk utilizes if you want to check which country cPHulk will detect for an IP address:

    GEO IP Database FAQ
    IP to Country Database (IPV4 and IPV6)

    Can you share one of the specific IP addresses that does not have a country code listed?

    Modifying an account username through WHM >> Modify An Account and/or updating the cPanel account's password using WHM >> Password Modification automatically updates all corresponding cPanel & WHM configuration files with the new username/password. This is also applicable to changing the root password using WHM >> Change Root Password.

    Are you using the hostname as the domain in your browser's address bar, or the individual domain?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Jean Boudreau likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice