The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up CPhulk to ban for 3 months

Discussion in 'Security' started by Pete1959, Mar 18, 2015.

  1. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    I have latest version of CPHulk and it only bans for 1 day.
    How do I set it up to ban for 3 months?
    There are no options for that...

    to be clear this is what I want to achieve.
    Any wrong password attempts more than 4 will get banned for 3 months
     
    #1 Pete1959, Mar 18, 2015
    Last edited by a moderator: Mar 18, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you tried updating "IP Address-based Brute Force Protection Period (in minutes)" to a value such as 129600? That's equivalent to 90 days.

    Thank you.
     
  3. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    yes but the one day ban section. What do I do there?
    That seems to overide the two other sections

    here is my current setup

    - Removed -
     
    #3 Pete1959, Mar 18, 2015
    Last edited by a moderator: Mar 30, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can set the one day value to a higher number so it's not triggered, and so only the "IP Address-based Brute Force Protection Period (in minutes)" is utilized. However, if you are seeking native support for an option to change 1-day to 3-day in the interface, then it's a good idea to open a feature request:

    https://forums.cpanel.net/pages/cpfeatures

    Thank you.
     
  5. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    I thought I did that but still they were only getting banned for 1 day
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    If you can give me the 5 figures I should insert into the 5 fields shown in my pic above, to get the end result then I will try once more and report if it does not work.
    I want to simply have anyone that has 4 wrong password attempts to be banned for 3 months.

    thanks
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Change "Brute Force Protection Period (in minutes)" to 5. Change "Maximum Failures per IP Address before the IP Address is Blocked for One Day" to a high value, such as "9999999".

    Thank you.
     
  9. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    ?
    That doesn't sound like it will block for 3 months on 4 wrong attempts.
    Pls re explain

    Could the problem be that i am on a VPS running on Virtuozzo??

    I have the
    Maximum Failures per IP Address before the IP Address is Blocked for One Day setting set to 50.
    the other 2 set to 4 attempts to block for 3mths in minutes.
    It still blocks only for one day...
     
    #9 Pete1959, Mar 25, 2015
    Last edited by a moderator: Mar 30, 2015
  10. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    so I changed the
    Login History
    Duration for Retaining Failed Logins (in minutes)
    TO 131487

    And now when I go to history the blocks work for 3 months eg...

    ftp
    pure-ftpd
    2015-03-26 15:56:35 to 2015-06-25 22:23:35
    131417 minutes remaining

    Whew
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  12. Pete1959

    Pete1959 Member

    Joined:
    Mar 18, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    As it was a bit confusing for me to get a 3 month ban I thought I would show my settings here for others to see.
    The thing that made the difference was the last setting, keepng the login history for same setting as the others above..
    Hope it helps some others out there scratching their head like I was.

    - Removed - Please Attach Images to Posts -
     
    #12 Pete1959, Mar 29, 2015
    Last edited by a moderator: Mar 30, 2015
  13. ideafrog

    ideafrog Registered

    Joined:
    May 15, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spear
    cPanel Access Level:
    Root Administrator
    OK - I need some clarification. In previous versions of cPHulk, I was able to configure so that someone was banned for up to two weeks.

    My Settings:

    User Based Protection
    Brute Force Protection Period: (in minutes)
    20 [this is the time period within which the server monitors for incorrect access attempts]
    Maximum Failures by Account: 3 (I only want to allow for 3 attempts before that user is blocked)

    IP Address-based Protection
    IP Address-based Brute Force Protection Period (in minutes): 20
    [the monitored period]
    Maximum Failures per IP Address: 3

    One-Day Protection ****
    Maximum Failures per IP Address before the IP Address is Blocked for One Day: 3


    Login History
    Duration for Retaining Failed Logins (in minutes): 20160 (
    two weeks)

    PROBLEM:

    When I review the logs:
    • Failed Logins shows multiple accounts and has the 20610 period and counting down
    • Blocked Users is empty
    • Blocked IP Addresses is empty
    • One-Day Blocks has a list of IPs that "IP reached maximum auth failures for a one day block" and at most are blocked for ONE day ***
    Objective: When someone fraudulently tries to log into my server, their IP is blocked for a period of time (ideally that I can configure).

    In the settings above, I have it configured to monitor logins, and when 3 failures occur within a 20 minute period, it is locked down - however I cannot find a combination that allows me to block it for more than one day - and I cannot log in every day to blacklist IPs (too time consuming!)

    HOW do I increase the period to block the IP from being able to attempt to log in beyond One Day (denoted by the *** above)??

    In an ideal world, if the IP was blocked - it would be added to the blacklist therefore never able to attempt again. Because it is only a SINGLE DAY, attempts are being made CONSTANTLY against the server - utilizing resources and putting it at risk.

    Please advise if I am misunderstanding something.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This is not the time frame of the monitored period. It's the number of minutes during which cPHulk blocks an attacker's IP address. You can increase this to block an IP address for a longer period of time.

    Thank you.
     
  15. Wabun

    Wabun Well-Known Member

    Joined:
    Oct 6, 2012
    Messages:
    56
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Antwerpen
    cPanel Access Level:
    Root Administrator
    @Pete1959, have you considered to install CSF?
     
  16. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Due to some recent issues that I had with CSF I had to uninstall CSF and only use Brute Force Protection.

    CSF was great for many years until lately it started showing issues and blocking everything and cause all my servers to go down.

    So here is my Brute Force Protection Settings below.

    User Based Protection
    Brute Force Protection Period: (in minutes) 15
    Maximum Failures by Account: 5

    IP Address-based Protection
    IP Address-based Brute Force Protection Period (in minutes): 30
    Maximum Failures per IP Address: 10

    One-Day Protection
    Maximum Failures per IP Address before the IP Address is Blocked for One Day: 15

    Login History
    Duration for Retaining Failed Logins (in minutes): 129600

    Until the vendor of CSF fix the issues I am staying this way for the time being.

    Note: I am also running COMODO ModSecurity Rules for Apache Rule Set on all servers.
     
Loading...

Share This Page