The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is cPHulk operating properly? cPanel email vs cPHulk blocked IPs

Discussion in 'Security' started by doulos61, Feb 14, 2014.

  1. doulos61

    doulos61 Well-Known Member

    Dec 13, 2006
    Likes Received:
    Trophy Points:
    Greetings -

    Periodically I will emails generated by cPanel warning of a

    "Large Number of Failed Login Attempts from IP

    5 failed login attempts to account webmaster (system) -- Large number of attempts from this IP: Origin Country: China (CN)"

    The contents of the email state the details of the country origin, number of attempts and etc in addition with the detailed links that will add the IP to the black/white list.

    If I go into cPHulk and manually enter the IP's into the blacklist, periodically I will see that it will not let me enter it because it already exists.

    My question are the following -

    If an IP is already entered into the blacklist, then why am I even getting these notifications?
    Is this to just let me know that they are attempting a login connection again
    Is the blacklist even functioning properly?

    I appreciate the assistance.
    Thnx - Shoop
  2. vanessa

    vanessa Well-Known Member

    Sep 26, 2006
    Likes Received:
    Trophy Points:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Usually by the time you get the message, cphulkd has already blocked the IP. This is evident when you attempt to block it and it's already saying the IP is blocked.

    Keep in mind that cphulkd is an application-level firewall. It does not and cannot block an IP from connecting to the server. All it will do is prevent the IP from being able to log in.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPHulk will not automatically block IP addresses on a permanent basis. However, you can modify the following option in "WHM Home » Security Center » cPHulk Brute Force Protection" so that the IP address is blocked for a two-week period after repeated failed login attempts:

    "Maximum Failures Per IP before IP is blocked for two week period"

    I recommend using a firewall application such as CSF to block the repeated offending IP addresses from accessing your server.

    Thank you.

Share This Page