Use cPHulk for Brute Force Protection

For WHM version 11.30

Brute force is an attack (hacking) method that involves using an automated system to guess the password to your web server or services. cPHulk provides protection against brute force attacks.

Configuration Settings

To begin using cPHulk:

  1. Click Enable.
  2. Select the Configuration Settings tab.
  3. In the first field, define the number of minutes you would like to lock out a remote IP when it reaches the failure limit.
  4. In the second field, define the number of minutes you would like to lock an account when it reaches the failure limit.
    • Use caution when setting this limit as its net effect is to prevent anyone from accessing that account, even the user to whom it belongs.
  5. Define the failure limit for accounts in the third field.
  6. Define the number of times a specific IP address may fail before it is locked out.
  7. Define the failure limit before the IP is blocked for a 2-week period in the fifth field.
  8. Use the checkboxes to determine:
    • Whether you will receive notifications upon successful root login when the IP is not whitelisted.
    • Whether to extend lockout time for each additional failure past the limit.
    • Whether you will receive notifications when a brute force attack is detected.
  9. Click Save.
    • note Note: By default, UseDNS is enabled in the /etc/ssh/sshd_config file on your server. UseDNS sends the hostname to PAM for SSH session authentication. cPHulk also requests authentication information from PAM when determining whether a login attempt is a brute force attack. A problem arises in cPHulk’s Trusted IPs List feature if UseDNS is still enabled, allowing an attacker to spoof a DNS pointer record to impersonate a trusted hostname. This will allow the attacker unlimited login attempts, permitting a brute force attack. Therefore, UseDNS is disabled if cPHulk is enabled.

White/Black List Management

cPHulk also provides a trusted IPs list (white list) and rejected IPs list (black list). The Trusted IP List specifies IP addresses that cPHulk will never prevent from accessing your server. The Rejected IP List specifies IP addresses that cPHulk will always prevent from accessing your server.

To quickly add an IP to the white or black list:

  1. Select the White/Black List Management tab.
  2. Enter the IP in the Entry box under the appropriate list.
  3. Click Quick Add to the right of the entry.

To edit the white or black list:

  1. Select the White/Black List Management tab.
  2. Click Edit Whitelist or Edit Blacklist.
  3. Edit the IP addresses in the text box.
  4. Click save.

Login/Brute History Report

cPHulk stores failed login attempts in a database. This is useful for determining problem IP addresses that may need to be blocked from accessing your server altogether. However, the database, from time to time, may need to be cleared to conserve system resources or to allow a user who has forgotten a password back into an account. You can clear the database by clicking Flush DB.

The information from the database is contained in 2 lists under the Login/Brute History Report tab. The first is a list of failed logins. These login attempts may be stored if, for example, a cPanel user enters his or her password incorrectly. The second list contains excessive failed login attempts. You should monitor both of these lists to find IP addresses and accounts that may need to be blocked.

Fixing a Lockout

In the event you are locked out of your server due to cPHulk, run the following script via WHM: /scripts2/doautofixer?autofix=disable_cphulkd

  • Example: Type the following line into your browser's address bar:
    https://www.example.com:2087/scripts2/doautofixer?autofix=disable_cphulkd

Topic revision: r9 - 26 Oct 2011 - 13:48:41 - Main.JustinSchaefer