How do I know if cPanel Brute Force protection is working?
I'm getting a lot of people trying to access my server, I've turned on cphulk and checked the box the block IP addresses at the firewall level if they trigger brute force protection.
These IP's aren't being added to the manual IP blacklist tab though. Is there another list being created somewhere that I can verify these blocked IP's are being added too?
48995
-
Hello, You can browse to the "History Reports" tab in "WHM >> cPHulk Brute Force Detection" to see a list of failed logins or blocked IP addresses. Additionally, this information is logged at: /usr/local/cpanel/logs/cphulkd.log
Note that IP addresses blocked at the firewall level are not visible from within WHM. You'd need to run a command like this to see a list of all IP addresses blocked using iptables:iptables -L INPUT -v -n
Thank you.0 -
Thanks Michael, in the history reports, I have 3k reports, but all of the blocks have an expiration time. How can I make it so that they're all permanent or that future blocks are permanent? I tried running that command and I don't see a list of blocked IP's there. Could it be because I experimented with installing CSF and then disabled CSF? Both CSF and LFD are now disabled so it's back to the way it was before I started looking into this. This is what I have in the IP tables, there doesn't seem to be a list of the blocked IP's even though I have Maximum Failures per IP Address = 3 Checked: Block IP addresses at the firewall level if they trigger brute force protection Maximum Failures per IP Address before the IP Address is Blocked for One Day = 3 Checked: Block IP addresses at the firewall level if they trigger a one-day block root@domain-net [~]# iptables -L INPUT -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 230 18941 f2b-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 24126 5843K cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 22872 5772K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0 22672 5750K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 8 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 8 480 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 1 64 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * redacted 0.0.0.0/0 state NEW tcp dpt:22 5 280 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1167 7 280 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 30000:50000 171 20638 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Thanks0 -
Thanks Michael, in the history reports, I have 3k reports, but all of the blocks have an expiration time. How can I make it so that they're all permanent or that future blocks are permanent?
In "WHM Home " Security Center " cPHulk Brute Force Protection", under "Configuration Settings", you'd need to enter a command like this for "Command to Run When an IP Address Triggers a One-Day Block" in the "One Day Block" section:whmapi1 create_cphulk_record list_name=black ip=%remote_ip%
This will add the IP addresses that are detected for the "One Day Block" settings to the permanent cPHulk black list.I tried running that command and I don't see a list of blocked IP's there. Could it be because I experimented with installing CSF and then disabled CSF?
Yes, it's possible that installing and uninstalling CSF wiped your existing iptables rules. Thank you.0
Please sign in to leave a comment.
Comments
3 comments