One of the benefits of using the cPanel/WHM control panel is the cPHulk brute force protection, which disables access to the PAM services. (PAM = Pluggable Authentication Modules. It's essentially what's used to log you into the server, email. etc.)
Unlike a traditional firewall that entirely blocks an IP range/address from all access to the server, cPHulk only prevents the ability to login. So website viewers can still see the site, and email is still delivered. Entire countries can be blocked from logging in via the blacklist, but site visitors from that country are not affected.
Additionally, cPHulk protects cPanel, WHM, SSH, FTP, IMAP, SMTP and POP3 from brute force authentication attacks, banning an IP (or locking an account) after too many failed attempts.
It's also a good backup to the CSF/LFD firewall -- which you really should use! -- in case that firewall ever fails or is accidentally deactivated.
Some more information can be found here:
http://www.digitalfaq.com/forum/web-...nels-anti.html
Install and Setup cPHulk
In order to install and setup cPHulk, you'll need to:
Step 1: Login to WHM.
Step 2: Go to the Security Center menu on the left side of the WHM screen, and select
cPHulk Brute Force Protection.
cphulk-new.jpg
Step 3: Then enable cPHulk in cPanel. Doing so will also disable UseDNS. (It requires a restart of the SSH service; you'll be prompted on-screen with instructions.) UseDNS is probably unnecessary for most users anyway.
Configure cPHulk
Step 4: Configure the number of failures required to lock out the IP address, including length of the lockout. By default, cPHulk is set to:
"IP Based Brute Force Protection period in minutes" = 15 minutes
"Brute Force Protection period in minutes" = 15 minutes
"Maximum Failures By Account" = 15 attempts
"Maximum Failures Per IP" = 10 attempts
"Maximum Failures Per IP before IP is blocked for two week period" = 20 total attempts
What those 5 lines means is this:
(1) Bans an IP for 15 minutes (too low!)
(2) Bans an account during a 15-minute "fail window" (too low!)
(3) Allow 15 login fails from all locations/IPs to an account (too high!),
(4) Allow 10 login fails from one location/IP (may be too low!)
(5) Allow 20 login fails before being locked out for two weeks (may be too low!). So if all 10 attempts are within the fail window, and it happens twice (10+10), then the IP is blocked for two weeks by cPHulk.
By default, it's also not set to send you email warnings of brute force attempts, which is not really good for watchful security-minded admins.
Ideally, set it to something like this:
(1) Ban for an IP 20 minutes when it fails
(2) Ban an account for 20 minutes, so that a hacker can't just switch IPs an try again right away
(3) Allow only 10 login attempts per account
(4) Allow only 10 login attempts per IP
(5) Allow only 20 login failures before being banned for two weeks. (Sadly, cPHulk does not have a permanent ban setting.)
Unless you're a complete airhead, 5 login attempts should be plenty; 10 if you're worried. However, if you're providing hosting to others, realize that lots of user *are* airheads! What I can never understand is that some people try to login over and over again, often with the SAME wrong information! As Albert Einstein once said, (paraphrased) "insanity is doing the same thing over and over again, yet expecting different outcomes".
You must be logged in to view this content; either login or register for the forum. The attached screen shots, before/after images, photos and graphics are created/posted for the benefit of site members. And you are invited to join our digital media community. |
(Optional) Populate the Whitelist / Blacklist
Populate the whitelist and blacklist with known-good and known-undesired IP addresses:
Step 5: Go to the cPHulk Brute Force Protection page in WHM, and click on the
White/Black List Management.
cphulk-new-settings.jpg
Step 6: Add your current IP address or IP range to the Whitelist. Do this for any place that you're likely to access the server regularly. Including your home, office, and secondary locations -- favorite online cafe, home/office of friend or family member, you school/college, etc.
Step 7: Consider blocking places that you know you'll never try to login from. For example, if you're not planning to visit Estonia, Iran, China or Russia anytime soon, it's probably safe to block those IP ranges. This will lock out any login access to cPanel, WHM, SSH, FTP, IMAP, and POP3.
The alternative to a large blacklist is to simply let cPHulk block problem IPs one at a time, as they fail the predefined number of login fails. But again, if you're not planning to live in China anytime soon, there's no reason to allow a 123.0.0.0/8 range address fail over and over again. Just blacklist the entire IP block and get it over with.
Final Notes
If this has helped you, be sure to click thanks.
However, understand that following guides online does NOT replace having a skilled server administrator.
Know that The Digital FAQ offers server administration services starting. If you use your VPS or dedicated server for serious endeavors, consider outsourcing your security to competent and experienced admins. Then you'll be able to focus on running the sites (creating content, etc), not running the server. And while your host may have management services, most are reactive and no proactive -- meaning you'll have to request tasks be done, which is hard task for a non-admin that doesn't know what to ask for.
... just a word of warning for the DIY hosting customers out there.
Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.
|