WHM cPHulk configuration

[Spirogg]

hi,
I was wondering about these settings


Warning: The command must complete within 15 seconds to avoid a timeout.
The following variables may be used in commands:

• %exptime% - The Unix time when brute force protection will release the block
• %max_allowed_failures% - Maximum allowed failures to trigger this type (excessive or non-excessive failures)
• %current_failures% - Number of current failures
• %excessive_failures% - 0 (not an excessive login failure) or 1 (an excessive login failure)
• %reason% - The reason for the block
• %remote_ip% - The blocked IP address
• %authservice% - The last service to request authentication (for example, webmaild)
• %user% - The last username to request authentication
• %logintime% - The time of the request
• %ip_version% - The IP version (4 or 6)

where do you see the output of this? when you add a variable or 2 or 3?

also if you have CSF installed and set the check mark to block IP at firewall level,

- Block IP addresses at the firewall level if they trigger brute force protection

- Block IP addresses at the firewall level if they trigger a one-day block

does it add it to CSF with the variables so we know it was from cPHulk?

if not, where can you see the IP's and any information that those ips were blocked ?



The Reason I ask?
- I have a check mark next to both settings and set to:
[Maximum Failures per IP Address = 2]
[Maximum Failures per IP Address before the IP Address is Blocked for One Day = 2]

so if they trigger 2 and i have those checkmarks they should be blocked in firewall, but I do not think its working.

so that's why I'm posting here

thanks

Spiro

 

[cPRex]

Hey hey! This is interesting - could you make a ticket for this one so we can check it out?

 

[Spirogg]

Hey hey! This is interesting - could you make a ticket for this one so we can check it out?

https://support.cpanel.net/hc/en-us/articles/4402762538263?input_string=cphulk+does+not+add+ip+to+firewall+if+you+select+the+check+marks+in+cphulk

We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-37418. Follow this article to receive an email notification when a solution is published in the product.



Workaround
There is currently no work around at this time. You may manually block IPs if required through Iptables or if the CSF plugin is installed.

Just saw this so no need to open ticket (unless you still want me too?)

can you see if they can give you an update - cause that stinks if it does not work and its been 6 months already and no fix yet?

 

[cPRex]

I don't have any updates to provide on this one, but I did leave a note saying that you were still experiencing the issue.

 

[Spirogg]

I don't have any updates to provide on this one, but I did leave a note saying that you were still experiencing the issue.

UPDATE:06/05/22

@cPRex I did add a support ticket and got it to work with CSF by adding the syntax in the text box below shown in the snapshot.

The syntax used for the block command will depend on the firewall being used. I see the server is using CSF. The following article covers some useful CSF commands, including how to block IPs.

Useful CSF Commands

So as an example, you could use a command like the following. This should block the offending IP with a comment stating why.

/usr/sbin/csf -d %remote_ip% %reason%

Command to Run When an IP Address Triggers Brute Force Protection

Warning: The command must complete within 15 seconds to avoid a timeout.

The following variables may be used in commands:

• %exptime% - The Unix time when brute force protection will release the block
• %max_allowed_failures% - Maximum allowed failures to trigger this type (excessive or non-excessive failures)
• %current_failures% - Number of current failures
• %excessive_failures% - 0 (not an excessive login failure) or 1 (an excessive login failure)
• %reason% - The reason for the block
• %remote_ip% - The blocked IP address
• %authservice% - The last service to request authentication (for example, webmaild)
• %user% - The last username to request authentication
• %logintime% - The time of the request
• %ip_version% - The IP version (4 or 6)

this worked as shown in the snapshot below. now when adding 2 3 4 5 10 ? to Maximum failure per IP address
then adding /usr/sbin/csf -d %remote_ip% %reason% to: Command to Run When an IP Address Triggers Brute Force Protection


The IP's will be blocked in CSF Deny List





He did also mention:

You do not have to provide a command to run to block the IP. That said, please note that checking that box will add IP block rules directly to kernel iptables. As such, it will not integrate with firewall frontends, such as CSF. While this will generally work fine, there could be some issues. For example, restarting CSF could potentially remove all of the cPHulk rules added directly to kernel iptables, so those IPs would no longer be blocked. Exactly what interaction this would have with the firewall frontend will depend on the specific software used. Unfortunately I can't say exactly how this will work with CSF.

The documentation below covers these settings in more detail.

https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/

-------------------------------------------------------------------------------------------------------------------------

PS - I did test the Syntax /usr/sbin/csf -d %remote_ip% %reason%
and it did block the IP and added it to CSF deny list.

so that solves the issue for me.

Thanks I posted this here just incase someone else might find this helpful

Spiro