cPHulk Brute Force Protection causing valid logins to fail

Mugoma

• August 01, 2016 10:37

We enabled cPHulk Brute Force Protection on one of our servers about 6 months ago. One rule we use when we get brute force attack is check the country the attack is originating from. If it's not from the country we operate in we block the IP address subnet permanently. At first this worked without a problem. There were no complains from users. But for last 3 months we have received several complains from the country we operate in. Whenever we receive such complains we check if the IP is in among IP range in the blocked list. Or if it was temporarily blocked. A few times we have located such in the blocked list and removed. But most time the IP doesn't appear on any of the records. For sometime we whitelisted the affected IP to resolve the issue. But the complains are now too many, whitelisting IPs doesn't look like the best way of handling the issue. We also think that disabling cPHulk Brute Force Protection will expose the server. Couple of questions: 1. Why would cPanel's cPHulk block an IP and leave no trace of such a blockage? 2. What's the remedy to the situation we find ourselves in? Thanks.

• 

  cPanelMichael

  • August 01, 2016 17:32

  . Why would cPanel's cPHulk block an IP and leave no trace of such a blockage? 2. What's the remedy to the situation we find ourselves in?

  
  Hello, Is "Block IP addresses at the firewall level if they trigger brute force protection" enabled in "WHM Home >> Security Center >> cPHulk Brute Force Protection"? If so, this will block IP addresses at the firewall level. Review the following document, and then compare the documented settings with your configured values: cPHulk Brute Force Protection - Documentation - cPanel Documentation Thank you.

  0
• 

  Mugoma

  • August 01, 2016 17:55

  We have the following settings. Brute Force Protection Period (in minutes): 5 Maximum Failures by Account: 15 IP Address-based Brute Force Protection Period (in minutes): 60 Maximum Failures per IP Address: 3 Block IP addresses at the firewall level if they trigger brute force protection: FALSE (UNCHECKED) Maximum Failures per IP Address before the IP Address is Blocked for One Day: 10 Block IP addresses at the firewall level if they trigger a one-day block: TRUE (CHECKED) Duration for Retaining Failed Logins (in minutes): 360 Then: 1. Apply protection to local addresses only 2. IP Address-based Protection Before raising the ticket I check the firewall I didn't see anything: # iptables -L INPUT -v -n Chain INPUT (policy ACCEPT 263K packets, 162M bytes) pkts bytes target prot opt in out source destination 86M 27G acctboth all -- * * 0.0.0.0/0 0.0.0.0/0 217M 75G cphulk all -- * * 0.0.0.0/0 0.0.0.0/0 So, to answer your question there's an option to block at the firewall but the firewall doesn't show anything. Is there another way to check this? Another thing, we receive an email for all brute force attempts. For all thee cases where there's no record for the IP being blocked on WHM we also don't have an email pertaining to that IP being involved in brute force. Thanks.

  0
• 

  cPanelMichael

  • August 02, 2016 19:47

  Maximum Failures per IP Address before the IP Address is Blocked for One Day: 10 Block IP addresses at the firewall level if they trigger a one-day block: TRUE (CHECKED)

  
  Hello, You can browse to "WHM >> Security Center >> cPHulk Brute Force Protection", select the "History" tab, and choose the "One-Day Blocks" option from the drop-down menu. Do you see any entries in the interface when completing these steps? If not, how long ago did you last notice this issue? Thank you.

  0

Please sign in to leave a comment.