cPHulkBrute Force Protection
cPHulk Brute Force Protection Security
Add the cPHulk Brute Force Protection service to your Linux server to provide robust brute force protection.
What is a “brute force login attempt”?
A brute force login attempt is usually an automated attempt to gain access to privileged assets by repeatedly providing user name and password credentials in hopes of guessing the correct combination.
Even if these attempts are ultimately unsuccessful, they can still, depending on volume, exhaust your server’s resources.
Thus it’s recommended to block these brute force attempts as quickly as possible and prevent them from further attempts by delaying or permanently blocking them.
What is cPHulk?
cPHulk will monitor the login attempts to your server’s core services, including
- cPanel services (Port 2083)
- WHM services (Port 2087)
- Mail services (Dovecot® and Exim)
- The PureFTPd service
- Secure Shell (SSH) access
NOTE: cPHulk does NOT monitor or protect WordPress. So be sure you have other security in place to protect your WordPress installation.
Based upon its configuration settings which can be modified via WHM, cPHulk will block failed login attempts based on user name and ip address.
Note: cPHulk may not be installed by default on your server. Contact your server support to request installation.
IMPORTANT: Be sure to whitelist your own ip before proceeding to tighten restrictions.
To configure cPHulk, log into WHM and in the search box type cphulk.
The first thing you should do is whitelist your own ip address. This will prevent your device from getting locked out.
Click on the Whitelist Management tab and add your ip in the box under New Whitelist Records, add a comment to identify the ip, e.g. home and then click Add.
Do the same for any other ips that will require access, e.g. your office or work ip.
Click on the Blacklist Management tab and add any ips that you want to blacklist in the box under New Blacklist Records, add an optional identifying comment and then click Add.
How to easily add failed logins to your Blacklist.
On the Configuration Settings tab, scroll down to the Notifications section and put a check next to “Send a notification when the system detects a brute force user”.
WHM will then send an email notification to the email address listed in WHM > Server Contacts > Edit System Preferences > scroll down to the last section and you’ll see the following
The system currently forwards mail for “root” to “email@example.com”. (name@yourdomain should show your email address.)
When a brute force user fails a login according to your preset condition, you’ll get an email which includes the following:
Using these links, you can choose to block either an individual ip address or an entire ip range.
Note that if you choose to block the /16 range, it will include the single ip as well as the /24 range.
When your click on the link, you’ll be directed to login to your WHM.
Once you provide the login credentials, the ip or ip range, depending on which link you clicked, will be automatically added to the cPHulk Blacklist Management entries.
Next you’ll want to decide whether if your server requires international access. If it does, make sure you have a list of countries that will NOT be subject to country blocking.
To block one or more countries, click the Countries Management tab. Select the countries that you want to block and then click the gear icon to open the drop-down menu.
Click “Blacklist Selected Countries” to blacklist your selections.
If your server’s core services are only accessed from a specific country or countries, you can click the box to the left of the Country Name column, which will select ALL countries.
Then scroll down until you see your country that requires access and REMOVE the check next to it’s name.
Once you’ve cleared your required countries, you can then click on the gear icon and select “Blacklist Selected Countries” (see image above).
This will effectively blacklist all countries from accessing your servers core services except for those you’ve elected to allow.
PRO TIP: Even though cPHulk will block failed login attempts after your specified maximum attempts, each attempt still uses some of your server’s processing resources. The more blocked attempts, the more resources your server uses. To prevent this, you can BLOCK ALL COUNTRIES. This will immediately block all attempts to login to your server EXCEPT for those IP addresses that are included in the cPHulk Whitelist. So you MUST be sure to include your own ip address (go to ip.liquidweb.com to get your ip address) plus the ip addresses for any other accounts that need to login to the server, including your web hosting support, BEFORE you block all countries. Also, BEFORE blocking all countries, I strongly recommend checking with your web host to make sure they can still get into cPHulk should your IP address ever change and you become locked out from your server. Your webhost support must also be able to still login to your server even if they get blocked. Also, after implementing the BLOCK ALL COUNTRIES, any attempts that are blocked will NOT show up in your cPHulk Blacklist because they don’t even get a single attempt to login, hence no failures will be recorded in the Blacklist management. Once successfully implemented though, your server will be much more secure without wasting server resources.
The History Reports tab will allow you to view reports based on the following: Failed Logins, Blocked Users, Blocked IP Addresses and One-Day Blocks.
If you have blocked countries, the Failed Logins report should only list failed logins for the countries that are NOT blocked.
This can be useful for quickly determining if a large number of blocks are originating from the same net block, in which case you may then decide to blacklist part or all of that net block.
cPHulk Brute Force Protection can greatly enhance the security of your server by providing an additional security layer to your server firewall.
It’s user interface is clean and straight forward and does not require a high degree of technical skill to implement.
Don’t let it’s simplicity fool you though as once it’s configured properly, it’s highly effective at repelling brute force login attempts.
If you enjoyed this post, you might also enjoy reading the following posts: