More about using cPhulk with CSF/LFD together

[Metro2]

Quoting from an old thread that can no longer accept new posts at SOLVED - Using cPHulk and CSF Together?

Naaa just started it. No changes whatsoever.

I'm thinking of adding this to command text "csf --tempdeny %remote_ip% 3600"

Then when bruteforce is picked up with Cphulk it does not block there but rather in CSF? Anyone know if this will work well.

Going to test it shortly though.

I know this is an old topic, but I've just recently decided to try keeping cPhulk enabled along with CSF/LFD (I've always had it disabled, thinking that there might be some conflict and not wanting to take the chance).

So @sahostking - I'm just wondering if this configuration is still working well for you, and if adding:

csf --tempdeny %remote_ip% 3600

to your cPhulk command text is all you needed to do to get the results you want, without further modification.

I was going to PM @sahostking but it looks like they have PM's disabled, so I'm bringing this old topic back up instead, hoping you might have a moment to provide a little more feedback on your experience of using cPhulk and CSF/LFD simultaneously.

Thanks very much for any input, from anyone!

 

[rpvw]

I used to use commands like

/usr/sbin/csf -td %remote_ip% 86400 %authservice% - %reason% - %user%

to send the block into the CSF temp table, but I discontinued that some time ago, and just let cPHulk and CSF do their own things now independently of each other.

cPHulk has matured into an excellent stand-alone utility, and unless you have a compelling reason to send the bans to be controlled by CSF, you might as well leave it as it comes out of the box

 

[Metro2]

Thank you very much for the response / feedback.

The main thing I want to avoid is ending up with duplicate entries for blocks in iptables, but also I'm trying to make sure things are configured so that the more powerful features / alerts from CSF/LFD which help identify the reason for a block continue to work that way. I understand that cPhulk has much improved over the years and is beneficial, and basically just don't want it stepping on CSF's toes so to speak. (I also want to avoid entire company accounts from getting blocked from their email over a remote attack of course).

So since I consider CSF/LFD my "main" line of defense and method for getting the detailed info I need about specific block reasons and attacker info etc... I've configured cPhulk as follows:

Username-based Protection - DISABLED (since apparently remote attacks can cause legitimate users from being blocked from their email access).

IP Address-based Protection - ENABLED (10 minutes, 7 failures since CSF is set to 5) and DISABLED the "Block IP addresses at the firewall level" , since again I perceive that to be CSF/LFD's main purpose.

Maximum Failures per IP Address before the IP Address is Blocked for One Day - set to 20, no command text, and DISABLED the "Block IP addresses at the firewall level" for same reasons mentioned above.

If I'm thinking correctly - this should allow the main benefits of cPhulk to exist and work, but without interfering with my CSF/LFD settings or it doing it's job the way it normally would.

If I'm assuming anything incorrect with the above settings I'd like to know.

I'm really open to all opinions on this topic because cPhulk is new territory for me, as I've had it disabled and only used CSF/LFD/CXS for many years now.

Thanks for any further input from anyone, much appreciated.

 

[cPanelLauren]

Hi @Metro2


There shouldn't be any issues with using CSF and cPHulk at the same time. You can disable firewall level blocking as you noted you might do to ensure that you don't double block something but it's doubtful you'd even run into an issue in this instance. You might watch it for a while and compare IP's on cPhulk's hitlist to IP's blocked with CSF.

 

[Metro2]

Thank you for the feedback @cPanelLauren , every little bit is helpful.