Many of us might be familiar with the term cPHulk, it is a brute force security feature that comes with Cpanel. So what does Cphulk do? What is the difference between CSF/LDF?
cPHulk prevents brute force attacks on services like WHM, SSH, and IMAP/POP 3. As we enable cPHulk via the WHM control panel, we set a default number of attempts and access these services. We can change these values according to our wishes.
Working of Cphulk
So what does cPHulk actually do? Usually, what attackers do is try permutations and combinations of usernames and passwords on these services. It is usually automated because when we set a default value for the number of login attempts, it blocks the IP address from the account that is attacked. Getting “blocked” means, it does not allow further login. This conveys a deceptive message “message: The login is invalid.” which does not reveal the exact source of action.
csf/ldf only blocks the login privilege whereas these ips can access the website, and is actually very resourceful. As it does not affect the traffic to the website.
These are the functions that are possible via Cphulk
1. To blacklist or white list an entire IP range, like an ip range from a country or region around the world eg 123.0.0.0./8 which blocks an entire chunk of china preventing logins from 123.x.x.x.x range.
2. To set the time range in which the cPhulk measures the login attempts for a distinct IP,after that the IP is denied login privilege to the account(Default 5 minutes)
3. To Set the max no failed attempts within a time range to login to a Cpanel account. After that the account is blocked for login. (default 15)
4. IP address-based restriction, as the max value for failed login attempts is reached, that IP is blocked.
5. To set a command to be executed when an IP triggers a brute force attack.
6. To add an IP to the firewall rule, if the IP is blocked for one day only using Cphulk. (This will block the IP from accessing the website also)
7. To send a “successful root login message” if the IP is not included in the white list.
Command line methods to manage Cphulk
To check the cPHulk status
ps aux | grep -i cphulk command which will give a result like the below,
root 1501 0.0 0.4 34816 5076 ? S 07:58 0:00 cPhulkd – processor
To restart the cPHulk daemon.
Soft restart
/scripts/restartsrv_cphulkd
Hard Restart
/scripts/restartsrv_cphulkd
--stop; /scripts/restartsrv_cphulkd
--start
To disable cPHulk
/usr/local/cpanel/etc/init/stopcphulkd
OR
/usr/local/cpanel/bin/cphulk_pam_ctl
--disable
To remove cPHulk option from the cPanel even after restart.(removes the cPHulk touch file)
rm /var/cpanel/hulkd/enabled
To ADD IP/IP range to white list
/scripts/cphulkdwhitelist 192.168.2.20
OR
/scripts/cphulkdwhitelist
1
92.168.2.0/24
OR
/scripts/cphulkdwhitelist 192.168.0.0/16
OR
/scripts/cphulkdwhitelist
192.0.0.0/8
To ADD IP/IP ranges to black list
/scripts/cphulkdblacklist 192.168.2.20
OR
/scripts/cphulkdblacklist
1
92.168.2.0/24
OR
/scripts/cphulkdblacklist 192.168.0.0/16
OR
/scripts/cphulkdblacklist
192.0.0.0/8
Great!! that’s pretty much it. Keep your servers secure!