cpHulk alerts while running CSF

vlus

• January 03, 2014 16:28

Hello, I understand (albeit vaguely :-) that cpHulk and CSF do their jobs differently, however, I have CSF set up with CC_ALLOW_FILTER=US which my understanding is will essentially block or make my website, mail servers, etc invisible to virtually all other IP's. I am still getting several Failed Login alerts each day from cpHulk from around the world, which I dont quite understand. If CSF is protecting me with CC_ALLOW how could I still get hit? Thanks for any guidance. I've been trying to post to the CSF board, but havent had any replies yet, so I'm hoping you folks can help :-) Thanks! Vlus

• 

  jakesully

  • January 03, 2014 22:05

  i don't think CC_ALLOW_FILTER=US will be protecting the cpanel ports area since you gota enable SSH keys for alerts you get to stop if it's failed login attempt mails you get from cpanel/whm. Also disable password login on SSH and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yours :) that way it can also stop these nasty brute force bots trying to gain root access :)

  0
• 

  vlus

  • January 04, 2014 21:38

  Much appreciate your reply! Also disable password login on SSH already have done that and then you can also make so any other ips trying to login on WHM can't by using host control feature inside WHM area write 1 box with allow and what service then give your ip and then next form under you do deny and then all on that so it will deny every ip execpt for yoursalready have done that These measures stop the hackers from getting in but they dont stop the hack attempt, since they can still 'see' my server. Just moments ago CSF/LFD blocked a Chinese hack attempt at my cPanel. So, this brings me full circle to my initial question. If CC_ALLOW_FILTER=US includes only those IP addresses which are allowed even "see" that my IP exists, how can someone on any other IP address attempt a hack at an IP that they aren't supposed to be able to "see" exist? Not sure if I'm asking this question properly, or if I'm understand the correct function of CC_ALLOW_FILTER for that matter. From what I've read on this, it just seems this filter would stop everyone else at the door, and therefore there would not be any alerts at all? Possible epiphany... or, does it stop everyone else at the door and send the alert that it blocked them? LOL, I don't know... is there anyone out there not in the US that wants to try to surf my site or send me an email? Theoretically you should not be able to accomplish either :-) Vlus

  0
• 

  cPanelMichael

  • January 06, 2014 12:33

  Hello :) It's possible this is a bug with the CSF software that you will need to report to it's developers. Have you tried restarting CSF to see if that makes a difference? Thank you.

  0

Please sign in to leave a comment.