SOLVED Using cPHulk and CSF Together?

sahostking · Nov 27, 2016

Decided to turn on CpHulk today as we just used CSF mainly and found cpHulk blocking some brute force attacks that CSF is not finding.

Looks like it improved alot. Do you guys recommend we still stick with CSF and just find the cause or is using both better now? or just cphulk

Lastly here is an example of cphulk blocking something CSF did not pickup.

Code:

Nov 27 20:16:57 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 20:17:03 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [alexalarms]
Nov 27 20:17:03 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 20:42:26 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 20:42:30 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [mlclaw]
Nov 27 20:42:30 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:06:32 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:06:37 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [anolhealthcare]
Nov 27 21:06:37 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:21:53 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:21:57 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [fahrenheitrestaurant]
Nov 27 21:21:57 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:38:29 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:38:33 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [kidsparadise]
Nov 27 21:38:34 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:55:13 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:55:19 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [loupezelectrical]
Nov 27 21:55:19 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 21:59:48 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 21:59:52 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [thebusinessoasisgroup]
Nov 27 21:59:52 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.
Nov 27 22:55:05 lin02 pure-ftpd: (?@51.254.148.189) [INFO] New connection from 51.254.148.189
Nov 27 22:55:10 lin02 pure-ftpd: (?@51.254.148.189) [WARNING] Authentication failed for user [refugeepastoralcare]
Nov 27 22:55:11 lin02 pure-ftpd: (?@51.254.148.189) [INFO] Logout.

danielpmc · Nov 27, 2016

Hello sahostking,

Wow! Your cpHulk is working really well judging by your logs. I am curious about your settings. Do you have cpHulk set at default settings or have you altered them? If you altered them could you share your settings with us? I ask this because my cpHulk sits like a lump on a log. Nothing happens. But when i look at my CSF logs i nail the nefarious #$#$*. to the wall. My CSF blocks SSH, Exim and FTP abusers everyday, yet cpHulk does not hardly ever block anything.

sahostking said: ↑

Do you guys recommend we still stick with CSF and just find the cause or is using both better now?
Click to expand...

In my opinion i would rely on both services, simply because two security guards are better than one. Besides i could not imagine running a server(s) without a Firewall.

danielpmc

sahostking · Nov 27, 2016

Naaa just started it. No changes whatsoever.

I'm thinking of adding this to command text "csf --tempdeny %remote_ip% 3600"

Then when bruteforce is picked up with Cphulk it does not block there but rather in CSF? Anyone know if this will work well.

Going to test it shortly though.

sahostking · Nov 27, 2016

a ha - got it working

cPanelMichael · Nov 28, 2016

sahostking said: ↑

I'm thinking of adding this to command text "csf --tempdeny %remote_ip% 3600"

Then when bruteforce is picked up with Cphulk it does not block there but rather in CSF? Anyone know if this will work well.
Click to expand...

Yes, this should work as expected. However, you may want to disable "Block IP addresses at the firewall level if they trigger brute force protection" in your cPHulk configuraiton to avoid duplicate blocks of the IP address at the firewall level.

Thank you.

sahostking · Nov 29, 2016

Yip did that already thanks

Medical Websites · Oct 10, 2017

Glad I found this thread. Just had the support people at our hosting provider tell me to turn off cPhulk because I am already using csf and it therefore isn't needed. This came after I posed a question about why cPhulk was spawning lots of processes, adding to server load, which, to me suggested there were just a lot of brute force attacks that csf wasn't detecting (our servers are also supposedly protected by their hardware firewall).

Pleased I trusted my own instincts on this and did my own searches, and maybe time to look for another provider.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Using cPHulk and CSF Together?

sahostking Well-Known Member

danielpmc Well-Known Member

sahostking Well-Known Member

sahostking Well-Known Member

cPanelMichael Forums Analyst
Staff Member

sahostking Well-Known Member

Medical Websites Registered

cPhulkd causing soft lockup

SOLVED cphulk country whitelist using cli?

MySql crashes - PHP using most RAM

Using Git Version Control Question

Using Filezilla instead of PuTTY

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Using cPHulk and CSF Together?

sahostking Well-Known Member

danielpmc Well-Known Member

sahostking Well-Known Member

sahostking Well-Known Member

cPanelMichael Forums Analyst Staff Member

sahostking Well-Known Member

Medical Websites Registered

cPhulkd causing soft lockup

SOLVED cphulk country whitelist using cli?

MySql crashes - PHP using most RAM

Using Git Version Control Question

Using Filezilla instead of PuTTY

Share This Page

cPanelMichael Forums Analyst
Staff Member