How to use cPanel/WHM cPHulk to block unwanted login attempts>
 

One of the benefits of using the cPanel/WHM control panel is the cPHulk brute force protection, which disables access to the PAM services. (PAM = Pluggable Authentication Modules. It's essentially what's used to log you into the server, email. etc.)

Unlike a traditional firewall that entirely blocks an IP range/address from all access to the server, cPHulk only prevents the ability to login. So website viewers can still see the site, and email is still delivered. Entire countries can be blocked from logging in via the blacklist, but site visitors from that country are not affected.

Additionally, cPHulk protects cPanel, WHM, SSH, FTP, IMAP, SMTP and POP3 from brute force authentication attacks, banning an IP (or locking an account) after too many failed attempts.

It's also a good backup to the CSF/LFD firewall -- which you really should use! -- in case that firewall ever fails or is accidentally deactivated.

Some more information can be found here: http://www.digitalfaq.com/forum/web-...nels-anti.html


Install and Setup cPHulk

In order to install and setup cPHulk, you'll need to:

Step 1: Login to WHM.

Step 2: Go to the Security Center menu on the left side of the WHM screen, and select cPHulk Brute Force Protection.

Attachment 3840

Step 3: Then enable cPHulk in cPanel. Doing so will also disable UseDNS. (It requires a restart of the SSH service; you'll be prompted on-screen with instructions.) UseDNS is probably unnecessary for most users anyway.


Configure cPHulk

Step 4: Configure the number of failures required to lock out the IP address, including length of the lockout. By default, cPHulk is set to:

"IP Based Brute Force Protection period in minutes" = 15 minutes
"Brute Force Protection period in minutes" = 15 minutes
"Maximum Failures By Account" = 15 attempts
"Maximum Failures Per IP" = 10 attempts
"Maximum Failures Per IP before IP is blocked for two week period" = 20 total attempts

What those 5 lines means is this:

(1) Bans an IP for 15 minutes (too low!)
(2) Bans an account during a 15-minute "fail window" (too low!)
(3) Allow 15 login fails from all locations/IPs to an account (too high!),
(4) Allow 10 login fails from one location/IP (may be too low!)
(5) Allow 20 login fails before being locked out for two weeks (may be too low!). So if all 10 attempts are within the fail window, and it happens twice (10+10), then the IP is blocked for two weeks by cPHulk.

By default, it's also not set to send you email warnings of brute force attempts, which is not really good for watchful security-minded admins.

Ideally, set it to something like this:

(1) Ban for an IP 20 minutes when it fails
(2) Ban an account for 20 minutes, so that a hacker can't just switch IPs an try again right away
(3) Allow only 10 login attempts per account
(4) Allow only 10 login attempts per IP
(5) Allow only 20 login failures before being banned for two weeks. (Sadly, cPHulk does not have a permanent ban setting.)

Unless you're a complete airhead, 5 login attempts should be plenty; 10 if you're worried. However, if you're providing hosting to others, realize that lots of user *are* airheads! What I can never understand is that some people try to login over and over again, often with the SAME wrong information! As Albert Einstein once said, (paraphrased) "insanity is doing the same thing over and over again, yet expecting different outcomes".

Attachment 3841


(Optional) Populate the Whitelist / Blacklist

Populate the whitelist and blacklist with known-good and known-undesired IP addresses:

Step 5: Go to the cPHulk Brute Force Protection page in WHM, and click on the White/Black List Management.

Attachment 2280

Step 6: Add your current IP address or IP range to the Whitelist. Do this for any place that you're likely to access the server regularly. Including your home, office, and secondary locations -- favorite online cafe, home/office of friend or family member, you school/college, etc.

Step 7: Consider blocking places that you know you'll never try to login from. For example, if you're not planning to visit Estonia, Iran, China or Russia anytime soon, it's probably safe to block those IP ranges. This will lock out any login access to cPanel, WHM, SSH, FTP, IMAP, and POP3.

The alternative to a large blacklist is to simply let cPHulk block problem IPs one at a time, as they fail the predefined number of login fails. But again, if you're not planning to live in China anytime soon, there's no reason to allow a 123.0.0.0/8 range address fail over and over again. Just blacklist the entire IP block and get it over with.


Final Notes

If this has helped you, be sure to click thanks. :thumb:

However, understand that following guides online does NOT replace having a skilled server administrator.

Know that The Digital FAQ offers server administration services starting. If you use your VPS or dedicated server for serious endeavors, consider outsourcing your security to competent and experienced admins. Then you'll be able to focus on running the sites (creating content, etc), not running the server. And while your host may have management services, most are reactive and no proactive -- meaning you'll have to request tasks be done, which is hard task for a non-admin that doesn't know what to ask for.

... just a word of warning for the DIY hosting customers out there. :2cents:

Need a good web host? — Read our 2018 Review of the Best Web Hosts Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.

Sample List

This is a starter list for you, from one of our cPanel servers. :)

It's moderately aggressive, and is intended solely for North American (USA, Canada) and western European users.

Important: Be sure your IP block is not there, should you decide to use this one! If you lock yourself out, you'll have to ask from assistance from your host, or access the server/VPS from a non-banned IP range.

Hello,

41.0.0.0/8
46.0.0.0/8

This is Nigerian IP, If I block this then whole country or whole "IP Block"(thousands of IP) will blocked?

Thanks,
Kunnu

Correct. :thumb:

.... sort of:

If you block the entire /8 block of 41.x.x.x, then you effectively disallow every IP in that range from accessing whatever it is that you've blocked. Every IP address from 41.0.0.1 to 41.255.255.255. I forget how many thousands of IP addresses that is, but it's all of them.

41.0.0.0/8 is AfriNIC, and includes much of the African continent. You'll be blocking not only Nigeria, but parts of South Africa, and other places in between.

46.0.0.0/8, however, is not AfriNIC. It's a mish-mash of geographic locations, including Turkey, Europe (both eastern and western), and Russia. If I'm not mistaken, I believe one of my IP addresses out of OVH (France) begins with a 46.x.x.x, though I'd have to double-check. This would not be safe to block unless you're completely positive that you'll never need to access the blocked content/service from those locations. For example, I'd never block 46.0.0.0/8 from being able to view a site, but it could definitely be entered into cPHulk to prevent service logins, as I'm not in one of those locations.

According to the current Wikipedia entry for AfriNic, "AfriNIC has been allocated the IPv4 address blocks 41.0.0.0/8, 102.0.0.0/8, 105.0.0.0/8 and 197.0.0.0/8 and IPv6 blocks 2c00::/12 and 2001:4200::/23. AfriNIC also administers the address space for 196.0.0.0/8 and 154.0.0.0/8."

... and welcome to the site. :)

The guide was updated for cPanel 11.42.x and beyond. :congrats: