list of blocked countries with number of failed login attempts
I would like to make a query for blocked countries with the number of failed login attempts for each. cphulk is halfway there with the hsitory reports one-day blocks list, but ain't nobody have time to sit and count countries one by one. Is there a way to run a query on the cphulk sqlite database for this?
I don't intend to just blankly block any country with failed login attempts, but certain countries like CN and RU seems obvious candidates.
-
Hey there! Sure - it's just a database, but the commands in SQLite are different than typical MySQL/MariaDB databases. The database is stored in /var/cpanel/hulkd/cphulk.sqlite. You can access the database with this command: sqlite3 /var/cpanel/hulkd/cphulk.sqlite From there, you can use SQLite commands to manipulate the database. Reading tables is done with the ".tables" command: sqlite> .tables auths ip_lists login_track config_track known_netblocks You'll likely want to pull data from the "login_track" table as that corresponds to the WHM >> cPHulk >> "History Reports" tab. Here's how that table is structured: sqlite> pragma table_info(login_track); 0|USER|CHAR(128)|1||0 1|ADDRESS|VARBINARY(16)|0|NULL|0 2|SERVICE|CHAR(64)|0|NULL|0 3|TYPE|INT(1)|0|NULL|0 4|LOGINTIME|DATETIME|1|'0000-00-00 00:00:00'|0 5|EXPTIME|DATETIME|1|'0000-00-00 00:00:00'|0 6|NOTES|TEXT|0||0 7|AUTHSERVICE|CHAR(64)|0|NULL|0 8|AUTHTOKEN_HASH|CHAR(86)|0|''|0 0 -
If you need more easy on the eyes information for quick review ConfigServer Security & Firewall has this covered under lfd blocking statistics. If you have CSF than ConfigServer Security & Firewall -> View ldf Statistics Gets you something like this: 0 -
Cheers! Seems the ADDRESS field is empty, or is VARBINARY in a form that can't be displayed? 0 -
Yeah perhaps I should just install CSF/LFD. I used to have it installed but it didn't seem to make much difference... 0 -
Yeah perhaps I should just install CSF/LFD. I used to have it installed but it didn't seem to make much difference...
How long ago was that if I may ask? The geo function requires a private license key from MaxMind GeoLite2 or GeoIP2 since 2019-12-29 Without it the geoblock function wil simply not work but also not throw up any warning about it.0 -
Thanks, I didn't know that. So the license key is entered in csf.config - but the countries are selected on the cphulk page? Or is there a csf page to choose blacklisted countries that I didn't see? Nm, I got it. (It's in /etc/csf/csf.conf - ^CC-* settings.) 0
Please sign in to leave a comment.
Comments
6 comments