Skip to main content

How do I know if cPanel Brute Force protection is working?

Comments

3 comments

  • cPanelMichael
    Hello, You can browse to the "History Reports" tab in "WHM >> cPHulk Brute Force Detection" to see a list of failed logins or blocked IP addresses. Additionally, this information is logged at:
    /usr/local/cpanel/logs/cphulkd.log
    Note that IP addresses blocked at the firewall level are not visible from within WHM. You'd need to run a command like this to see a list of all IP addresses blocked using iptables:
    iptables -L INPUT -v -n
    Thank you.
    0
  • RobinHood
    Thanks Michael, in the history reports, I have 3k reports, but all of the blocks have an expiration time. How can I make it so that they're all permanent or that future blocks are permanent? I tried running that command and I don't see a list of blocked IP's there. Could it be because I experimented with installing CSF and then disabled CSF? Both CSF and LFD are now disabled so it's back to the way it was before I started looking into this. This is what I have in the IP tables, there doesn't seem to be a list of the blocked IP's even though I have Maximum Failures per IP Address = 3 Checked: Block IP addresses at the firewall level if they trigger brute force protection Maximum Failures per IP Address before the IP Address is Blocked for One Day = 3 Checked: Block IP addresses at the firewall level if they trigger a one-day block
    root@domain-net [~]# iptables -L INPUT -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 230 18941 f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 24126 5843K cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 22872 5772K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0 22672 5750K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 8 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 8 480 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 1 64 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 5 280 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1167 7 280 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 30000:50000 171 20638 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    Thanks
    0
  • cPanelMichael
    Thanks Michael, in the history reports, I have 3k reports, but all of the blocks have an expiration time. How can I make it so that they're all permanent or that future blocks are permanent?

    In "WHM Home " Security Center " cPHulk Brute Force Protection", under "Configuration Settings", you'd need to enter a command like this for "Command to Run When an IP Address Triggers a One-Day Block" in the "One Day Block" section:
    whmapi1 create_cphulk_record list_name=black ip=%remote_ip%
    This will add the IP addresses that are detected for the "One Day Block" settings to the permanent cPHulk black list.
    I tried running that command and I don't see a list of blocked IP's there. Could it be because I experimented with installing CSF and then disabled CSF?

    Yes, it's possible that installing and uninstalling CSF wiped your existing iptables rules. Thank you.
    0

Please sign in to leave a comment.