Quantcast How to use cPanel/WHM cPHulk to block unwanted login attempts - digitalFAQ Forum
Go Back    Forum > Digital Publishing / Web Sites > Web Hosting Tutorials > cPanel WHM

Reply
 
LinkBack Thread Tools
  #1  
01-26-2012, 09:21 PM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
One of the benefits of using the cPanel/WHM control panel is the cPHulk brute force protection, which disables access to the PAM services. (PAM = Pluggable Authentication Modules. It's essentially what's used to log you into the server, email. etc.)

Unlike a traditional firewall that entirely blocks an IP range/address from all access to the server, cPHulk only prevents the ability to login. So website viewers can still see the site, and email is still delivered. Entire countries can be blocked from logging in via the blacklist, but site visitors from that country are not affected.

Additionally, cPHulk protects cPanel, WHM, SSH, FTP, IMAP, SMTP and POP3 from brute force authentication attacks, banning an IP (or locking an account) after too many failed attempts.

It's also a good backup to the CSF/LFD firewall -- which you really should use! -- in case that firewall ever fails or is accidentally deactivated.

Some more information can be found here: http://www.digitalfaq.com/forum/web-...nels-anti.html


Install and Setup cPHulk

In order to install and setup cPHulk, you'll need to:

Step 1: Login to WHM.

Step 2: Go to the Security Center menu on the left side of the WHM screen, and select cPHulk Brute Force Protection.

cphulk-new.jpg

Step 3: Then enable cPHulk in cPanel. Doing so will also disable UseDNS. (It requires a restart of the SSH service; you'll be prompted on-screen with instructions.) UseDNS is probably unnecessary for most users anyway.


Configure cPHulk

Step 4: Configure the number of failures required to lock out the IP address, including length of the lockout. By default, cPHulk is set to:

"IP Based Brute Force Protection period in minutes" = 15 minutes
"Brute Force Protection period in minutes" = 15 minutes
"Maximum Failures By Account" = 15 attempts
"Maximum Failures Per IP" = 10 attempts
"Maximum Failures Per IP before IP is blocked for two week period" = 20 total attempts

What those 5 lines means is this:

(1) Bans an IP for 15 minutes (too low!)
(2) Bans an account during a 15-minute "fail window" (too low!)
(3) Allow 15 login fails from all locations/IPs to an account (too high!),
(4) Allow 10 login fails from one location/IP (may be too low!)
(5) Allow 20 login fails before being locked out for two weeks (may be too low!). So if all 10 attempts are within the fail window, and it happens twice (10+10), then the IP is blocked for two weeks by cPHulk.

By default, it's also not set to send you email warnings of brute force attempts, which is not really good for watchful security-minded admins.

Ideally, set it to something like this:

(1) Ban for an IP 20 minutes when it fails
(2) Ban an account for 20 minutes, so that a hacker can't just switch IPs an try again right away
(3) Allow only 10 login attempts per account
(4) Allow only 10 login attempts per IP
(5) Allow only 20 login failures before being banned for two weeks. (Sadly, cPHulk does not have a permanent ban setting.)

Unless you're a complete airhead, 5 login attempts should be plenty; 10 if you're worried. However, if you're providing hosting to others, realize that lots of user *are* airheads! What I can never understand is that some people try to login over and over again, often with the SAME wrong information! As Albert Einstein once said, (paraphrased) "insanity is doing the same thing over and over again, yet expecting different outcomes".

You must be logged in to view this content; either login or register for the forum. The attached screen shots, before/after images, photos and graphics are created/posted for the benefit of site members. And you are invited to join our digital media community.



(Optional) Populate the Whitelist / Blacklist

Populate the whitelist and blacklist with known-good and known-undesired IP addresses:

Step 5: Go to the cPHulk Brute Force Protection page in WHM, and click on the White/Black List Management.

cphulk-new-settings.jpg

Step 6: Add your current IP address or IP range to the Whitelist. Do this for any place that you're likely to access the server regularly. Including your home, office, and secondary locations -- favorite online cafe, home/office of friend or family member, you school/college, etc.

Step 7: Consider blocking places that you know you'll never try to login from. For example, if you're not planning to visit Estonia, Iran, China or Russia anytime soon, it's probably safe to block those IP ranges. This will lock out any login access to cPanel, WHM, SSH, FTP, IMAP, and POP3.

The alternative to a large blacklist is to simply let cPHulk block problem IPs one at a time, as they fail the predefined number of login fails. But again, if you're not planning to live in China anytime soon, there's no reason to allow a 123.0.0.0/8 range address fail over and over again. Just blacklist the entire IP block and get it over with.


Final Notes

If this has helped you, be sure to click thanks.

However, understand that following guides online does NOT replace having a skilled server administrator.

Know that The Digital FAQ offers server administration services starting. If you use your VPS or dedicated server for serious endeavors, consider outsourcing your security to competent and experienced admins. Then you'll be able to focus on running the sites (creating content, etc), not running the server. And while your host may have management services, most are reactive and no proactive -- meaning you'll have to request tasks be done, which is hard task for a non-admin that doesn't know what to ask for.

... just a word of warning for the DIY hosting customers out there.



Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.



Attached Images
File Type: jpg whm-cphulk-install.jpg (22.7 KB, 18 downloads)
File Type: jpg whm-cphulk-config.jpg (48.1 KB, 20 downloads)

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
The following users thank kpmedia for this useful post: danfilipi (08-13-2015)
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
01-27-2012, 09:14 AM
admin's Avatar
admin admin is offline
Site Staff | Web Development
 
Join Date: Jul 2003
Posts: 4,368
Thanked 584 Times in 437 Posts
Sample List

This is a starter list for you, from one of our cPanel servers.

It's moderately aggressive, and is intended solely for North American (USA, Canada) and western European users.

Important: Be sure your IP block is not there, should you decide to use this one! If you lock yourself out, you'll have to ask from assistance from your host, or access the server/VPS from a non-banned IP range.

Code:
1.0.0.0/8
10.0.0.0/8
100.0.0.0/8
101.0.0.0/8
102.0.0.0/8
103.0.0.0/8
104.0.0.0/8
105.0.0.0/8
106.0.0.0/8
107.0.0.0/8
109.0.0.0/8
11.0.0.0/8
110.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
12.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8
127.0.0.0/8
13.0.0.0/8
133.0.0.0/8
135.0.0.0/8
14.0.0.0/8
145.0.0.0/8
15.0.0.0/8
150.0.0.0/8
151.0.0.0/8
153.0.0.0/8
154.0.0.0/8
158.0.0.0/8
16.0.0.0/8
169.0.0.0/8
17.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
178.0.0.0/8
179.0.0.0/8
18.0.0.0/8
180.0.0.0/8
181.0.0.0/8
182.0.0.0/8
183.0.0.0/8
185.0.0.0/8
186.0.0.0/8
187.0.0.0/8
188.0.0.0/8
189.0.0.0/8
19.0.0.0/8
191.0.0.0/8
197.0.0.0/8
2.0.0.0/8
201.0.0.0/8
203.0.0.0/8
21.0.0.0/8
210.0.0.0/8
211.0.0.0/8
213.0.0.0/8
214.0.0.0/8
215.0.0.0/8
218.0.0.0/8
219.0.0.0/8
22.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
223.0.0.0/8
224.0.0.0/8
225.0.0.0/8
226.0.0.0/8
227.0.0.0/8
228.0.0.0/8
229.0.0.0/8
23.0.0.0/8
230.0.0.0/8
231.0.0.0/8
232.0.0.0/8
233.0.0.0/8
234.0.0.0/8
235.0.0.0/8
236.0.0.0/8
237.0.0.0/8
238.0.0.0/8
239.0.0.0/8
240.0.0.0/8
241.0.0.0/8
242.0.0.0/8
243.0.0.0/8
244.0.0.0/8
245.0.0.0/8
246.0.0.0/8
247.0.0.0/8
248.0.0.0/8
249.0.0.0/8
25.0.0.0/8
250.0.0.0/8
251.0.0.0/8
252.0.0.0/8
253.0.0.0/8
254.0.0.0/8
255.0.0.0/8
26.0.0.0/8
27.0.0.0/8
28.0.0.0/8
29.0.0.0/8
3.0.0.0/8
30.0.0.0/8
31.0.0.0/8
32.0.0.0/8
33.0.0.0/8
34.0.0.0/8
35.0.0.0/8
36.0.0.0/8
37.0.0.0/8
38.0.0.0/8
39.0.0.0/8
40.0.0.0/8
41.0.0.0/8
42.0.0.0/8
43.0.0.0/8
44.0.0.0/8
45.0.0.0/8
46.0.0.0/8
47.0.0.0/8
48.0.0.0/8
5.0.0.0/8
51.0.0.0/8
53.0.0.0/8
54.0.0.0/8
55.0.0.0/8
56.0.0.0/8
57.0.0.0/8
58.0.0.0/8
59.0.0.0/8
6.0.0.0/8
60.0.0.0/8
61.0.0.0/8
62.0.0.0/8
7.0.0.0/8
70.0.0.0/8
73.0.0.0/8
75.0.0.0/8
78.0.0.0/8
79.0.0.0/8
8.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
88.0.0.0/8
89.0.0.0/8
9.0.0.0/8
90.0.0.0/8
91.0.0.0/8
92.0.0.0/8
93.0.0.0/8
95.0.0.0/8
96.0.0.0/8
97.0.0.0/8
98.0.0.0/8
99.0.0.0/8

- Did this site help you? Then upgrade to Premium Member and show your support!
- Also: Like Us on Facebook for special DVD/Blu-ray news and deals!
Reply With Quote
  #3  
01-29-2012, 01:15 AM
Dewlance Dewlance is offline
Free Member
 
Join Date: Jan 2012
Location: Worldwide
Posts: 1
Thanked 0 Times in 0 Posts
Hello,

41.0.0.0/8
46.0.0.0/8

This is Nigerian IP, If I block this then whole country or whole "IP Block"(thousands of IP) will blocked?

Thanks,
Kunnu

Dewlance.com - Windows VPS

Last edited by Dewlance; 01-29-2012 at 01:39 AM.
Reply With Quote
  #4  
01-29-2012, 11:09 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,242
Thanked 354 Times in 332 Posts
Quote:
Originally Posted by WindowsVPS View Post
41.0.0.0/8, 46.0.0.0/8
This is Nigerian IP, If I block this then whole country or whole "IP Block"(thousands of IP) will blocked?
Correct.

.... sort of:

If you block the entire /8 block of 41.x.x.x, then you effectively disallow every IP in that range from accessing whatever it is that you've blocked. Every IP address from 41.0.0.1 to 41.255.255.255. I forget how many thousands of IP addresses that is, but it's all of them.

41.0.0.0/8 is AfriNIC, and includes much of the African continent. You'll be blocking not only Nigeria, but parts of South Africa, and other places in between.

46.0.0.0/8, however, is not AfriNIC. It's a mish-mash of geographic locations, including Turkey, Europe (both eastern and western), and Russia. If I'm not mistaken, I believe one of my IP addresses out of OVH (France) begins with a 46.x.x.x, though I'd have to double-check. This would not be safe to block unless you're completely positive that you'll never need to access the blocked content/service from those locations. For example, I'd never block 46.0.0.0/8 from being able to view a site, but it could definitely be entered into cPHulk to prevent service logins, as I'm not in one of those locations.

According to the current Wikipedia entry for AfriNic, "AfriNIC has been allocated the IPv4 address blocks 41.0.0.0/8, 102.0.0.0/8, 105.0.0.0/8 and 197.0.0.0/8 and IPv6 blocks 2c00::/12 and 2001:4200::/23. AfriNIC also administers the address space for 196.0.0.0/8 and 154.0.0.0/8."

... and welcome to the site.

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
  #5  
03-28-2014, 09:15 AM
admin's Avatar
admin admin is offline
Site Staff | Web Development
 
Join Date: Jul 2003
Posts: 4,368
Thanked 584 Times in 437 Posts
The guide was updated for cPanel 11.42.x and beyond.

- Did this site help you? Then upgrade to Premium Member and show your support!
- Also: Like Us on Facebook for special DVD/Blu-ray news and deals!
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Block Windows Media Player's automatic updates kpmedia Computers 2 08-29-2017 12:57 AM
What does cPHulk do? cPanel's anti-hacking, brute force protection (cPHulk vs CSF) kpmedia cPanel WHM 0 01-10-2012 02:23 AM
Edit Postfix to use DNS blacklists, block spam without SpamAssassin or Amavis kpmedia SSH for VPS/Dedicated (CLI) 0 07-06-2011 11:12 AM
Block WordPress Spam: How to deny comments to non-referrer traffic kpmedia Website and Server Troubleshooting 0 07-25-2010 10:06 PM
Having login trouble? (IE5,IE6) Here’s the fix... admin General Discussion 0 04-19-2004 03:32 PM

Thread Tools



 
All times are GMT -5. The time now is 10:02 PM