Yesterday I wrote a post on how to protect your webserver against brute force attacks using APF and BFD. If you are using WHM, there’s similar alternative using cPHulk.
cPHulk is a brute force protection system developped by the cPanel team and is exclusive to cPanel / WHM control panels. It has been integrated with cPanel version 11. With cPHulk, you can set a threshold for authentication attempts on services like POP3, cPanel, WHM, FTP, etc. After a certain amount of attempts, the attacker will no longer be able to authenticate.
How To Enable cPHulk
Enabling cPHulk is pretty easy. Simply log into your WHM control panel as root. From the main menu on the left, click on Security Center from the Security section.
Click on the cPHulk Brute Force Detection link at the top of the page. Now you may want to configure cPHulk before you enable it. The configuration parameters are pretty much self-explanatory so I won’t go into details about this. Basically you set the number of failed attempts before an IP or an account is blocked and you set how long you want it to be blocked.
When you’re done, simply click on the Enable button at the top.
Help Me! I Have Locked Myself Out!
I did lock myself out once. I had opened my FTP client and it tried to login automatically multiple times even though I had changed my FTP password. When I realized my FTP client had failed to authenticate it was too late: I was locked out of my own webserver.
Depending on the number of failed attempts, you could be locked out for a few minutes or for a two week period. To gain back access to your server, you can simply configure your web browser to use a proxy server. This way the incoming connection will be made from another IP address than the one blocked by cPHulk.
Once you’re logged in, go into your cPHulk panel and click on the Flush DB button. That’s it! You gained back accessed. Now be careful next time!
3 responses so far ↓
1. Response by : Gary on Jun 21, 2008 at 8:52 am
Problem is, you lose control, with BFD you can control everything through the rules.
No whitelist for the admin, thus you can lock yourself out.
Docs suck on this. Does it use APF? Then how does it block? How much CPU is this going to cost me?
Why does it let the attacker still attack? Wasting my bandwidth?
Details!
2. Response by : Stephane Brault on Jun 21, 2008 at 2:26 pm
Hi Gary,
cpHulk restricts access at the user authentication level while APF/BFD uses iptables to block access at the server level.
Unfortunately I don’t know of any ways to whitelist some IPs with cpHulk. In fact I have a web server that’s running both APF and cpHulk.
3. Response by : cPanel Basics: How To Block Access By IP Address on Jul 9, 2008 at 1:06 pm
[...] there are some automated solutions to this (like APF or cpHulk), there are times when human intervention is [...]
Leave a Comment