Is cPHulk operating properly? cPanel email vs cPHulk blocked IPs

[doulos61]

Greetings -

Periodically I will emails generated by cPanel warning of a

"Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx

5 failed login attempts to account webmaster (system) -- Large number of attempts from this IP: xxx.xx.xxx.xx Origin Country: China (CN)"

The contents of the email state the details of the country origin, number of attempts and etc in addition with the detailed links that will add the IP to the black/white list.

If I go into cPHulk and manually enter the IP's into the blacklist, periodically I will see that it will not let me enter it because it already exists.

My question are the following -

If an IP is already entered into the blacklist, then why am I even getting these notifications?
Is this to just let me know that they are attempting a login connection again
Is the blacklist even functioning properly?

I appreciate the assistance.
Thnx - Shoop

 

[vanessa]

Usually by the time you get the message, cphulkd has already blocked the IP. This is evident when you attempt to block it and it's already saying the IP is blocked.

Keep in mind that cphulkd is an application-level firewall. It does not and cannot block an IP from connecting to the server. All it will do is prevent the IP from being able to log in.

 

[cPanelMichael]

Hello

cPHulk will not automatically block IP addresses on a permanent basis. However, you can modify the following option in "WHM Home » Security Center » cPHulk Brute Force Protection" so that the IP address is blocked for a two-week period after repeated failed login attempts:

"Maximum Failures Per IP before IP is blocked for two week period"

I recommend using a firewall application such as CSF to block the repeated offending IP addresses from accessing your server.

Thank you.