Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Using cPHulk and CSF Together?

Discussion in 'Security' started by sahostking, Nov 27, 2016.

Tags:
  1. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    330
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Decided to turn on CpHulk today as we just used CSF mainly and found cpHulk blocking some brute force attacks that CSF is not finding.

    Looks like it improved alot. Do you guys recommend we still stick with CSF and just find the cause or is using both better now? or just cphulk

    Lastly here is an example of cphulk blocking something CSF did not pickup.

    Code:
    Nov 27 20:16:57 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 20:17:03 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [alexalarms]
Nov 27 20:17:03 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 20:42:26 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 20:42:30 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [mlclaw]
Nov 27 20:42:30 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:06:32 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:06:37 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [anolhealthcare]
Nov 27 21:06:37 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:21:53 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:21:57 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [fahrenheitrestaurant]
Nov 27 21:21:57 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:38:29 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:38:33 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [kidsparadise]
Nov 27 21:38:34 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:55:13 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:55:19 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [loupezelectrical]
Nov 27 21:55:19 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:59:48 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:59:52 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [thebusinessoasisgroup]
Nov 27 21:59:52 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 22:55:05 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 22:55:10 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [refugeepastoralcare]
Nov 27 22:55:11 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 sahostking, Nov 27, 2016
    Last edited by a moderator: Nov 27, 2016
  2. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    76
    Likes Received:
    32
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Reseller Owner
    Hello sahostking,

    Wow! Your cpHulk is working really well judging by your logs. I am curious about your settings. Do you have cpHulk set at default settings or have you altered them? If you altered them could you share your settings with us? I ask this because my cpHulk sits like a lump on a log. Nothing happens. But when i look at my CSF logs i nail the nefarious #$#$*. to the wall. My CSF blocks SSH, Exim and FTP abusers everyday, yet cpHulk does not hardly ever block anything.

    In my opinion i would rely on both services, simply because two security guards are better than one. Besides i could not imagine running a server(s) without a Firewall.

    danielpmc
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 danielpmc, Nov 27, 2016
  3. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    330
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Naaa just started it. No changes whatsoever.

    I'm thinking of adding this to command text "csf --tempdeny %remote_ip% 3600"

    Then when bruteforce is picked up with Cphulk it does not block there but rather in CSF? Anyone know if this will work well.

    Going to test it shortly though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 sahostking, Nov 27, 2016
  4. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    330
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    a ha - got it working :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 sahostking, Nov 27, 2016
    danielpmc likes this.
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, this should work as expected. However, you may want to disable "Block IP addresses at the firewall level if they trigger brute force protection" in your cPHulk configuraiton to avoid duplicate blocks of the IP address at the firewall level.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Nov 28, 2016
    danielpmc likes this.
  6. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    330
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    Yip did that already thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 sahostking, Nov 29, 2016
  7. Medical Websites

    Medical Websites Registered

    Joined:
    Oct 10, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Glad I found this thread. Just had the support people at our hosting provider tell me to turn off cPhulk because I am already using csf and it therefore isn't needed. This came after I posed a question about why cPhulk was spawning lots of processes, adding to server load, which, to me suggested there were just a lot of brute force attacks that csf wasn't detecting (our servers are also supposedly protected by their hardware firewall).

    Pleased I trusted my own instincts on this and did my own searches, and maybe time to look for another provider.
     
    #7 Medical Websites, Oct 10, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Using cPHulk Together
  1. dstana

    cPhulkd causing soft lockup

    dstana, May 30, 2018, in forum: General Discussion
    Replies:
    5
    Views:
    286
    cPanelMichael
    May 31, 2018
  2. NotNulled

    SOLVED cphulk country whitelist using cli?

    NotNulled, May 14, 2018, in forum: Security
    Replies:
    1
    Views:
    133
    cPanelMichael
    May 15, 2018
  3. sting01

    New Thread Blocking email with Exim4 using the IP

    sting01, Oct 19, 2018 at 5:06 AM, in forum: E-mail Discussion
    Replies:
    1
    Views:
    48
    keat63
    Oct 19, 2018 at 5:23 AM
  4. HO PK

    Access website using VPS IP Address?

    HO PK, Oct 18, 2018 at 5:42 AM, in forum: Bind/DNS/Nameserver
    Replies:
    1
    Views:
    50
    cPanelLauren
    Oct 22, 2018 at 12:27 PM
  5. Sujoy Dhar

    Which backup Service you are using?

    Sujoy Dhar, Oct 13, 2018, in forum: Data Protection
    Replies:
    3
    Views:
    98
    cPanelLauren
    Oct 16, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice