Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.

cPHulkd to better mitigate Brute Force Attacks

Feature Importer shared this idea 13 years ago
Completed

As a Server Administrator, I want cPHulkd to better mitigate Brute Force Attacks, so that I can enhance security on my system.


Block with Ip Tables

Run script when blocking / unblocking [ path here ] (document syntax)


This is a feature that has been migrated over from the cPanel Forums. All previous comments and discussions concerning this feature can be located at:

http://forums.cpanel.net/f145/suggestions-making-cphulk-useful-242632.html

Best Answer
photo

This is now available in 11.48+

We will be adding the following options in 11.48 (The UI is also scheduled for a refresh, however this is being done separately).


We have also added caching and made cphulkd use significantly fewer resources and sql queries (see graphs attached).


Please see the attached screenshot of the new options. Please note that documentation has not yet reviewed the text and it will change.


This feature is being tracked as case 123065. As of 10/19, it is in the final stages of QA.

Replies (10)

photo
3

Or remove it completely and allow other applications/third parties to better manage brute force detection.


This was discussed at the cPanel Security Panel session at cPanel Conference 2012.

photo
2

We use CSF as well, but really does not seem to have had much impact on blocking of bots who are attempting to break into WordPress blogs in mass (as in, locating domains of a server, adding wp-admin to path then run repeated user/pass attempts to break in).


I really think you folks should consider focusing on security more in this regard.

cPHulk was step in the right direction, but really doesn't go far enough.


When I look at it (cPHulk) I see, "ok, what's the least amount of effort we can put into a cpanel app to show we are doing something security wise."


Likewise, anytime we mention CSF in tickets cpanel folks often throw up a "silver cross," warning, "it's 3rd party and we can't talk about that..."

So sort of a catch-22 security wise if you get my meaning.


Realistically, cpanel does need better login management, monitoring and security for "all types" of login activity.


Hackers love cpanel, because the cpanel developers have chosen to put only minimal systems in place against old school brute force attacks out-of-the-box.


I imagine it would take a small team of cpanel folks no more than 1 day to poll a large number of established cpanel servers to see what common software is installed (wordpress, joomla, etc.), then set up a security team to look at means to better securing these CMS systems against the more obvious intrusion attempts or attacks (at the server level-- saving our customers from unnecessary hardship in the process).

photo
1

Desperately need ability to upload lists of hostile IPs automatically and protect my discussion forum.

photo
2

Handle failed logins with cPHulk is very limited and sometimes a headache on a shared dedicated server and CSF doesn't have a friendly interface like cPHulk.


- Block with iptables

- More settings to configure rules (Even different rules for an specific domain)

- Use less resources

photo
1

That's a must have sollution for sure.

Please cPanel, do consider and implement this.

Any chance we could get it any time soon? When?

Thanks,

photo
1

Hello,


I had a ticket open but was not able to let cPanel staff trun on cphulk and they could not reproduce the problem on a test VPS.


Ticket id : 4617637


I don't know how many logins were causing this, it was happening during hours when companies opened and everyone was checking their e-mail.


Dovecot was receiving empty login data thus refusing the connection.


  1. Mar 5 09:05:07 server10 dovecot: auth: Debug: checkpassword(email@domain.tld,ip.ip.ip.ip,<ababababa>): Received input:
  2. Mar 5 09:05:07 server10 dovecot: auth: Debug: checkpassword(email@domain.tld,ip.ip.ip.ip,<ababababa>): exit_status=1

photo
1

This is now available in 11.48+

We will be adding the following options in 11.48 (The UI is also scheduled for a refresh, however this is being done separately).


We have also added caching and made cphulkd use significantly fewer resources and sql queries (see graphs attached).


Please see the attached screenshot of the new options. Please note that documentation has not yet reviewed the text and it will change.


This feature is being tracked as case 123065. As of 10/19, it is in the final stages of QA.

photo
1

I like this implementation, might even allow us to reinable this feature as during large bruteforce attacks cphulkd wasn't managing with as many connections as dovecot alone without cphulkd. By blocking IP's in the firewall we can hope that will free up resources.

photo
1

Since CPHulk uses GeoIP anyway, country-based blocking could be immensely useful, especially for local (as opposed to international) hosting providers.

photo
1

HostCenter IL wrote:

Since CPHulk uses GeoIP anyway, country-based blocking could be immensely useful, especially for local (as opposed to international) hosting providers.
Hi HostCenter IL,


That system that hulkd uses for notifications uses the geoip module, however it feasible to utilize that functionality at evaluation time with a fair amount of work. This round of improvements has already been completed and merged so this is better suited as a new feature request as we don't want to loose your idea when this feature goes to a released state.

Replies have been locked on this page!