The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is cPHulk operating properly? cPanel email vs cPHulk blocked IPs

Discussion in 'Security' started by doulos61, Feb 14, 2014.

  1. doulos61

    doulos61 Well-Known Member

    Joined:
    Dec 13, 2006
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Greetings -

    Periodically I will emails generated by cPanel warning of a

    "Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx

    5 failed login attempts to account webmaster (system) -- Large number of attempts from this IP: xxx.xx.xxx.xx Origin Country: China (CN)"

    The contents of the email state the details of the country origin, number of attempts and etc in addition with the detailed links that will add the IP to the black/white list.

    If I go into cPHulk and manually enter the IP's into the blacklist, periodically I will see that it will not let me enter it because it already exists.

    My question are the following -

    If an IP is already entered into the blacklist, then why am I even getting these notifications?
    Is this to just let me know that they are attempting a login connection again
    Is the blacklist even functioning properly?

    I appreciate the assistance.
    Thnx - Shoop
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Usually by the time you get the message, cphulkd has already blocked the IP. This is evident when you attempt to block it and it's already saying the IP is blocked.

    Keep in mind that cphulkd is an application-level firewall. It does not and cannot block an IP from connecting to the server. All it will do is prevent the IP from being able to log in.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    cPHulk will not automatically block IP addresses on a permanent basis. However, you can modify the following option in "WHM Home » Security Center » cPHulk Brute Force Protection" so that the IP address is blocked for a two-week period after repeated failed login attempts:

    "Maximum Failures Per IP before IP is blocked for two week period"

    I recommend using a firewall application such as CSF to block the repeated offending IP addresses from accessing your server.

    Thank you.
     
Loading...

Share This Page