Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

More about using cPhulk with CSF/LFD together

Discussion in 'Security' started by Metro2, Dec 14, 2018.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    444
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Quoting from an old thread that can no longer accept new posts at SOLVED - Using cPHulk and CSF Together?

    I know this is an old topic, but I've just recently decided to try keeping cPhulk enabled along with CSF/LFD (I've always had it disabled, thinking that there might be some conflict and not wanting to take the chance).

    So @sahostking - I'm just wondering if this configuration is still working well for you, and if adding:

    Code:
    csf --tempdeny %remote_ip% 3600
    to your cPhulk command text is all you needed to do to get the results you want, without further modification.

    I was going to PM @sahostking but it looks like they have PM's disabled, so I'm bringing this old topic back up instead, hoping you might have a moment to provide a little more feedback on your experience of using cPhulk and CSF/LFD simultaneously.

    Thanks very much for any input, from anyone!
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I used to use commands like
    Code:
    /usr/sbin/csf -td %remote_ip% 86400 %authservice% - %reason% - %user%
    
    to send the block into the CSF temp table, but I discontinued that some time ago, and just let cPHulk and CSF do their own things now independently of each other.

    cPHulk has matured into an excellent stand-alone utility, and unless you have a compelling reason to send the bans to be controlled by CSF, you might as well leave it as it comes out of the box :-D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and Metro2 like this.
  3. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    444
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you very much for the response / feedback.

    The main thing I want to avoid is ending up with duplicate entries for blocks in iptables, but also I'm trying to make sure things are configured so that the more powerful features / alerts from CSF/LFD which help identify the reason for a block continue to work that way. I understand that cPhulk has much improved over the years and is beneficial, and basically just don't want it stepping on CSF's toes so to speak. (I also want to avoid entire company accounts from getting blocked from their email over a remote attack of course).

    So since I consider CSF/LFD my "main" line of defense and method for getting the detailed info I need about specific block reasons and attacker info etc... I've configured cPhulk as follows:

    Username-based Protection - DISABLED (since apparently remote attacks can cause legitimate users from being blocked from their email access).

    IP Address-based Protection - ENABLED (10 minutes, 7 failures since CSF is set to 5) and DISABLED the "Block IP addresses at the firewall level" , since again I perceive that to be CSF/LFD's main purpose.

    Maximum Failures per IP Address before the IP Address is Blocked for One Day - set to 20, no command text, and DISABLED the "Block IP addresses at the firewall level" for same reasons mentioned above.

    If I'm thinking correctly - this should allow the main benefits of cPhulk to exist and work, but without interfering with my CSF/LFD settings or it doing it's job the way it normally would.

    If I'm assuming anything incorrect with the above settings I'd like to know.

    I'm really open to all opinions on this topic because cPhulk is new territory for me, as I've had it disabled and only used CSF/LFD/CXS for many years now.

    Thanks for any further input from anyone, much appreciated.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Metro2


    There shouldn't be any issues with using CSF and cPHulk at the same time. You can disable firewall level blocking as you noted you might do to ensure that you don't double block something but it's doubtful you'd even run into an issue in this instance. You might watch it for a while and compare IP's on cPhulk's hitlist to IP's blocked with CSF.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Metro2 likes this.
  5. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    444
    Likes Received:
    38
    Trophy Points:
    178
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you for the feedback @cPanelLauren , every little bit is helpful.
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice