Enable cPHulk to be used with OpenVZ
Completed
I'm receiving notifications for +20 attempts per day and without this feature, I cannot block the access to the server.
As explained here https://forums.cpanel.net/threads/cant-enable-cphulk.452821/ the cpHulk was disabled to be used inside a container by an internal case number 163557. No further explanation was done, but I need cpHulk to support this feature, or at least, get some guidance in order to prevent massive attacks.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This was resolved in version 68 and backported to version 66.
This was resolved in version 68 and backported to version 66.
To support the firewall integration functionality within a virtuozzo (VZ) environment, full firewall management must be possible within the VZ container. It must provide the same modules and behavior as an unmodified CentOS system running directly on the hardware.
There is so much variation within VZ environments, even at times at the same hosting provider, that attempting to make system management features fully compatible is impractical.
Please note that the rest of cphulk will function just fine within a VZ environment. Only the firewall integration feature is disabled.
To support the firewall integration functionality within a virtuozzo (VZ) environment, full firewall management must be possible within the VZ container. It must provide the same modules and behavior as an unmodified CentOS system running directly on the hardware.
There is so much variation within VZ environments, even at times at the same hosting provider, that attempting to make system management features fully compatible is impractical.
Please note that the rest of cphulk will function just fine within a VZ environment. Only the firewall integration feature is disabled.
That doesn't seem like much of an excuse considering the fact that ConfigServer Security and Firewall has a Perl script that determines whether or not the system can support the iptables functions it needs.
That doesn't seem like much of an excuse considering the fact that ConfigServer Security and Firewall has a Perl script that determines whether or not the system can support the iptables functions it needs.
The iptables bans make use of the iptables time module. This module did not function correctly and/or was frequently unavailable on openvz systems which lead it being rejected for inclusion on that platform.
Its also not available on CentOS 5 because we don't have a good way of working around the various bugs in the older versions of the time module.
If CentOS 7 based OpenVZ systems can be shown to work correctly with the iptables time module we could enable the functionality for those system.
The iptables bans make use of the iptables time module. This module did not function correctly and/or was frequently unavailable on openvz systems which lead it being rejected for inclusion on that platform.
Its also not available on CentOS 5 because we don't have a good way of working around the various bugs in the older versions of the time module.
If CentOS 7 based OpenVZ systems can be shown to work correctly with the iptables time module we could enable the functionality for those system.
Guys, I have the feeling that this is taking a turn for the wrong. The idea is not to point fingers, but how to fix this problem. I have no details about the motive that led cPanel team to disable the ban in this type of system. The problem is that I really need to filter this traffic. Right now I'm getting only an email that I can't compute or process in any way, but manually log into the host server and adding the iptable rules manually.
If needed, I prefer to have the ip list exported in a txt file, so I can put a cron in the host machine and update the iptable's rules as required, but I need to put something in place.
Guys, I have the feeling that this is taking a turn for the wrong. The idea is not to point fingers, but how to fix this problem. I have no details about the motive that led cPanel team to disable the ban in this type of system. The problem is that I really need to filter this traffic. Right now I'm getting only an email that I can't compute or process in any way, but manually log into the host server and adding the iptable rules manually.
If needed, I prefer to have the ip list exported in a txt file, so I can put a cron in the host machine and update the iptable's rules as required, but I need to put something in place.
Hi Ezequiel,
When we added support for iptables, we also added support for running an external command at the same time. If you have a command line that will block an ip for a period of time, you could do something like this:
/path/to/command %remote_ip% %exptime%
Hi Ezequiel,
When we added support for iptables, we also added support for running an external command at the same time. If you have a command line that will block an ip for a period of time, you could do something like this:
/path/to/command %remote_ip% %exptime%
This was resolved in version 68 and backported to version 66.
This was resolved in version 68 and backported to version 66.
Replies have been locked on this page!