Skip to main content

How to reference IP, ISP, data from cpHulk brute force emails in a command to append offenders to a csv list

mec-forum
I would like to append offending IPs to a csv list with the same data that is sent by cpHulkd warning emails so that I can later import offenders.csv in excel, sort it and report the abuse. Has anyone tried that? I would put the command in the cphulk interface for when an ip ban is triggered. I was thinking something like this but I lack knowledge of the proper variable names, if they exist at all... echo "$TRIGGER_TIME;$IP;$ISP;$REVERSE_DNS" >> /root/offenders.csv
I would also like to rotate the log file each month, but no clue as how to do that... Thanks in advance!

Comments

3 comments

Date Votes
  • cPanelLauren
    The variables that can be used are: The following variables may be used in commands: %exptime% - The Unix time when brute force protection will release the block %max_allowed_failures% - Maximum allowed failures to trigger this type (excessive or non-excessive failures) %current_failures% - Number of current failures %excessive_failures% - 0 (not an excessive login failure) or 1 (an excessive login failure) %reason% - The reason for the block %remote_ip% - The blocked IP address %authservice% - The last service to request authentication (for example, webmaild) %user% - The last username to request authentication %logintime% - The time of the request %ip_version% - The IP version (4 or 6)
    %logintime%
    would be $TRIGGER_TIME %remote_ip%
    would be $IP $ISP
    and $REVERSE_DNS
    wouldn't be variables available. You could probably write something that did lookups for those since all you'd need is the IP address to do so. For log rotation WHM>>Service Configuration>>cPanel Log Rotation Configuration you can select logs to be rotated (cPanel specific log files) then in WHM>>Server Configuratoin>>Tweak Settings you can set the size threshold at which you'd want the logs to be rotated.
    0
  • mec-forum
    Very useful! Thanks for the help!
    0
  • keat63
    Personally, I wouldn't bother reporting the abuse. You'll be at this for the rest of your life, your own personal time is more important. Install CSF firewall and let the firewall do all the hard wotk for you. CSF firewall also has a number of live lists of bad IP's that you can facilitate.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post