cpHulk auto-block non-existent accounts
Hi All,
I've had cpHulk running for a while now and also added some further protection using the script "update-ipsets" from FireHOL (I don't use the FireHOL product on this server, but the script works without issue). This combination has stopped a large amount of attacks on my system, but they still occur.
I was wondering, is there a way to configure cpHulk to to auto-block an access attempt to an account that doesn't exist on the system? I'm not bothered if it temporarily blacklists or blocks it at the firewall level either temporarily or permanently.
Any thoughts or comments greatly appreciated.
-
I was wondering, is there a way to configure cpHulk to to auto-block an access attempt to an account that doesn't exist on the system? I'm not bothered if it temporarily blacklists or blocks it at the firewall level either temporarily or permanently.
cPhulk is designed to prevent successful authentication into accounts when brute force attempts are detected. If the account username doesn't exist, then authentication isn't possible. Could you elaborate more on the specific scenario you are attempting to account for, or provide an example where additional functionality would be useful? Thanks!0 -
Hi Michael, Sure. I receive emails each time cpHulk blocks an attack, but most of the time, these are for accounts (typically email) which don't exist on the system. 44135 Above is a screen shot of one such email. The account address clearly isn't one that would be on my system. Is there any way to block these attacks, as I said, if the account being "tested" isn't a valid account on the system? 0 -
The account address clearly isn't one that would be on my system. Is there any way to block these attacks, as I said, if the account being "tested" isn't a valid account on the system?
You can enable "Block IP addresses at the firewall level if they trigger brute force protection" as part of the "IP Address-based Protection" setting and that will block the IP address at the firewall level. cPHulk itself will only prevent successful authentication, and never stops the authentication attempts, except for individual IP addresses that are blocked at the firewall level. This is true regardless of whether the username exists on the system. For instance, if "user123" exists on the system, and "Username-Based Protection" is triggered, additional authentication attempts will still come through. It's just authentication will always fail when the account is in the brute force protection period, even if the attacker uses a correct password. If you want to stop the attack itself, you'd need to use firewall rules or a firewall management utility with rules to detect and block the IP addresses (e.g. CSF). Thank you.0 -
Im experiencing this similar phenomena and wondering if we can add certain non-existing username in block list or blacklist....? I am getting few hundred failed attempt daily from 4-5 username whose domain is not with me. Blocking IP is meaningless in this scenario as spammer must be switching IP every time they are attempting this. 0 -
I am getting few hundred failed attempt daily from 4-5 username whose domain is not with me. Blocking IP is meaningless in this scenario as spammer must be switching IP every time they are attempting this.
Hello, Could you elaborate on the specific benefit you'd see from such a feature? cPHulk doesn't block the authentication attempt itself unless the IP address is blocked at the firewall level after the configured number of failed attempts is met. A better approach would be to use a custom firewall rule to detect and block brute force attempts. Thank you.0
Please sign in to leave a comment.
Comments
5 comments