cpHulk warnings/auto-block suspended accounts

Mugoma

• April 07, 2017 22:58

We have cpHulk enabled and have been having no problem till after last update. Before last update it was triggering warnings and/or auto-block only active accounts. But now it does even for suspended accounts. The waning message seems ti have also changed. Before last update the waning email was titled "Large Number of Failed Login Attempts from ". Now it's titled "Excessive Number of Failed Login Attempts from (:)" The problem with this is that several users either forget to renew or just take time to renew causing their accounts to be suspended, but some of them still attempt to use their accounts even after suspension. In such cases we consider cpHulk warnings and/or auto-block as FALSE alarms. Since most users are on shared IP and if an IP is blocked many users get affected. Is it possible to have cpHulk warnings/auto-block only on active accounts as before? This way we'll be handling only really brute force attacks. Otherwise currently we get many FALSE alarms due to checks on suspended accounts. Since we considered a suspended account not usable we don't see this as a major risk.

• 

  cPanelMichael

  • April 10, 2017 17:39

  Hello, Could you clarify which version of cPanel you updated from, and which version of cPanel you updated to? I can't find any information showing that cPHulk ever excluded suspended accounts from the brute force protection mechanism. Have you considered enabling username-based protection only, and disabling IP-based protection? This will lock out the username only, rather than locking the IP address making the failed authentication attempt. Thank you.

  0
• 

  Mugoma

  • April 14, 2017 05:04

  Hello, The updates are automatic, so can't tell version from/to. But it started about a month or so ago. My argument about excluding/including suspended accounts was just a guess. The main contention is that we are receiving many false warnings and a large portion is from suspended accounts. We tried username-based protection awhile back but it ended up being an inconvenience to (genuine) users. So, we stopped it. Thanks.

  0
• 

  cPanelMichael

  • April 14, 2017 17:37

  Since most users are on shared IP and if an IP is blocked many users get affected.

  
  Hello, Could you elaborate on this a little more? For instance, do you have multiple customers making connections to the server from the same IP address (e.g. the customers are all using a proxy or connecting from the same physical location)? If so, have you considered adding that IP address to the cPHulk Whitelist? Thank you.

  0

Please sign in to leave a comment.