cPHulkd Brute Force Notifications - Authentication failures higher than maximum number allowed
I have email notifications set up for WHM/Cpanel to notify of multiple failed login attempts. I've noticed at times the amount of authentication failures is higher than the maximum allowed attempts before the IP address is blocked.
I've tested the system to confirm the block does take place when an IP hits the maximum allowed attempts. The system does allow further attempts but once the IP is blocked even using the correct login credentials results in failure.
My current working theory is that if an IP address continues to brute force whilst banned, those attempts are taken into consideration at the point the IP is unbanned and reoffends.
Can anyone confirm the behaviour I'm seeing or point me towards documentation that explains what is going on? Many thanks in advance.
Probably not relevant - the system is running on AlmaLinux v8.10
-
Hey there! If I'm understanding you correctly, what you're seeing is normal as cPHulk *does* take into account the further access attempts even after a ban has happened.
We do have a table at https://docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/#command-variables that shows various scenarios and how long the user would be blocked for. Is that helpful?
0 -
Thanks for your reply.
Does the attached picture look correct to you? In my mind the maximum allowed attempts is 2 and any further attempts after that should have been blocked. But it looks (to me at least) like there have been a further 4 attempts after the block?
0 -
Yes, that seems normal - just because cPHulk has locked an account/ip address doesn't mean that someone can't still try to access the account. You can always block the IP address in the server's firewall manually if you see many of these coming from the same IP.
0 -
Thanks again for your help.
0 -
Sure thing!
0
Please sign in to leave a comment.
Comments
5 comments