The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is cPHulk working properly?

Discussion in 'Security' started by Legin76, Jun 6, 2012.

  1. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    I'm not sure if cPHulk is working properly or not. Could somone please confirm this for me.

    The Logwatch email shows the following attempted attacks.. All the IPs have been blocked, but I'm not sure if its before or after the numbers got so high. I also noticed that the usernames had up to 1323 login attempts but were blocked for two weeks for 30 attempts.


    Logwatch email (I've stripped out the IPs)
    Failed logins from:
    IP1: 333 times
    IP2: 1374 times
    IP3: 210 times
    IP4: 223 times

    Illegal users from:
    IP1: 3520 times
    IP2: 2815 times
    IP3: 427 times
    IP4: 9948 times


    My settings

    IP Based Brute Force Protection Period in minutes: 15
    Brute Force Protection Period in minutes: 5
    Maximum Failures By Account: 15
    Maximum Failures Per IP: 10
    Maximum Failures Per IP before IP is blocked for two week period: 30

    Send a notification upon successful root login when the IP is not whitelisted: off
    Extend account lockout time upon additional authentication failures: on
    Send notification when brute force user is detected: off
     
  2. Legin76

    Legin76 Well-Known Member

    Joined:
    Dec 11, 2007
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Does anyone have any thoughts on this?

    Today there was one IP with over 11000 login attempts. Again all the IPs are on the blacklist for 30 failed attempts. Did it really manage 11000 attempts before getting blocked, or did it keep counting even after it was blocked, or is cPHulk not working properly and its managing to carry on connecting even after its blocked?

    I've also just noticed that the Login/Brute History Report has nothing under failed logins. The Brutes (Excessive Login Failures) appears to be fine.

    WHM 11.32.3 (build 19)
    REDHAT Enterprise 5.8 i686 standard on srv04
     
    #2 Legin76, Jun 13, 2012
    Last edited: Jun 14, 2012
Loading...

Share This Page