cPHulk blocks IP's after 5 attempts, no matter what the value is set at?

Benjamin D.

• October 12, 2017 09:00

Hi, cPHulk is (and always was) set to 50 maximum failures per IP address, but it seems like since I upgraded to WHM 66.0 a couple weeks ago, it's now always blocking the IP addresses after only 5 attempts, no matter what the "maximum failures per IP address" value is set at. I've always been using cPHulk paired with ConfigServer CSF, if it makes any difference, nothing really changed except for the WHM 64.0 to 66.0 upgrade.

• 

  kernow

  • October 12, 2017 16:03

  I'm guessing you have CSF set to block IPs after 5 attempts?

  0
• 

  cPanelMichael

  • October 12, 2017 18:09

  Hello, To clarify, do you see corresponding entries in /usr/local/cpanel/logs/cphulkd.log that show logins from specific IP addresses are blocked by cPhulk, or are you just noticing that logins are failing? Thank you.

  0
• 

  Benjamin D.

  • October 14, 2017 16:48

  @kernow It seems CSF v11.0 came with a default value of 5 for blocking SMTP login attempts. I'm taking a look at new settings that came with that version and I'll change the default values. I'll see in a day if it makes a difference. So basically, since those CSF settings override cPHulk's, then I guess I could turn cPHulk off completely, no? Thanks for your much appreciated time.

  0
• 

  Muhammed Fasal

  • October 15, 2017 00:12

  Hi, cPHulk is only Brute Force detection/failed login blocking, whereas a Firewall or a security solution (CSF) includes a lot more. If you need advanced features for your server security like to avoid Apache DDOS attack then only you need to think about CSF otherwise cPHulk will almost do all the other features provided by CSF like auto-blocking of IP address on failed login attempts. Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables. I have found another thread in which you can find a lot more info about these two: cPHulk vs. CSF

  0
• 

  kernow

  • October 15, 2017 09:57

  .......then I guess I could turn cPHulk off completely, no?
  We don't use it ourselves, CSF does the job.

  0
• 

  Muhammed Fasal

  • October 16, 2017 15:29

  If so, you can disable cpHulkd service on your server safely. Because they both do the same job, CSF will do more than what cpHulkd can do. Actually, CSF works on top of iptables. The rules you add in CSF will be added to iptables on the back end. While cPHulk uses MySQL database rather than iptables. As I have mentioned cPHulk uses a database, it may consume more resource while on a BruteForce attack. You can check the cPHulkd log entries at: tail -f /usr/local/cpanel/logs/cphulkd.log You can follow this step on Commandline to disable cPHulkd service: /usr/local/cpanel/bin/cphulk_pam_ctl --disable OR /usr/local/cpanel/etc/init/stopcphulkd

  0

Please sign in to leave a comment.