How to use the cPhulk Brute Force Protection feature in WHM

Introduction #

Security is arguably the most important aspect of a server. The WHM is no stranger to security and one of its key features we are going to talk about in this tutorial is the “cPhulk Brute Force Protection” feature. It provides great protection against brute force attacks, and it has become a defining part of the WHM control panel’s security kit. A brute force attack is a coordinated, automated system, designed to guess the password of your web server or services. cPHulk’s task is to monitor the following services: cPanel service, WHM service, Mail services (IMAP and Exim), FTP service, and SSH services against such attacks. When cPHulk blocks an IP address, it will still be able to access the above-mentioned services, however, even if the correct credentials are provided, this will still result in a “The login is invalid” message, unless the IP in question is unblocked. Let’s explain how all this works!

Accessing the cPhulk Brute Force Protection feature #

First, you need to log into the WHM service for your VPS or Dedicated Server. After you have logged in, please use the search bar on the left side of the page and type “cPhulk Brute Force Protection”.

When the functionality shows up below the search bar, please click on it so you can be sent to the “cPhulk Brute Force Protection” page.

Configuring and managing the cPhulk service #

When you land on the “cPhulk Brute Force Protection” page, the first thing you will notice is a big toggle switch under the “cPHulk provides protection from brute force attacks against your web services.” description. This will turn cPhulk on and respectively off when you press it.

Afterward, you will see 5 tabs under the toggle button. The “Configuration Settings” tab, the “Whitelist Management” tab, the “Blacklist Management”, the “Countries Management” tab, and the “History Reports” tab. As the “Configuration Settings” tab is selected by default, we will discuss it first.

The Configuration Settings Tab #

You will notice the first section “Username-based Protection” beneath the “Configurations Settings” heading. On the top right corner, you will see a toggle switch that you can use to disable/enable this option. When enabled, this will track login attempts for user accounts. When you disable this, cPhulk will stop blocking users, however, the existing blocks will remain until they are manually removed.

Let’s go over the available options in this section.

• Brute Force Protection (in minutes) – In this text field you can type in the timeframe, in which cPhulk tracks the failed login attempts towards a cPanel account. For example, when you attempt to log into your cPanel account and you fail, the cPhulk will start the timer, depending on the defined number in this text field, and will monitor the incoming failed attempts. If they reach the number defined in the “Maximum Failures By Account” text field, your account will be completely locked. One specific thing here is that when locked, this account will not be accessible to ANY IP address, not only the one that triggered the lockout.
• Maximum Failures By Account – Please write down the number of failed login attempts needed in order to trigger an account lock in this text field.
• Apply protection to local addresses only – Limits username-based protection to trigger only on requests that originate from the local system. This ensures that a user cannot brute force other accounts on the same server. If you want to use this option, please select it using the radio button on its left side.
• Apply protection to local and remote addresses – Allows username-based protection to trigger for all requests, regardless of their origin. If you want to use this option, please select it using the radio button on its left side.
• Allow username protection to lock the “root” user – This checkbox allows you to apply the username protection for the “root” user, which means it can now also get locked out.

Scroll down the page a bit and you will find the “IP Address-based Protection” section. The options in there will let you track login attempts for specific IP addresses. When disabled, cPhulk will stop blocking IP addresses but the existing ones will remain blocked until they are manually removed. Please use the toggle switch on the top right corner if you wish to disable/enable this functionality.

We will go over the options in this section below.

• IP Address-based Brute Force Protection Period(in minutes) –  This text field is analogical to the “user-based protection” one. Please type in the period in which a given IP address will be tracked for a Brute-Force attack. cPhulk will consider this as such if the attack was made from the same IP address repeatedly, using different credentials or if the IP reached the “Maximum Failures per IP Address” value.
• Maximum Failures Per IP Address – The value defined in this text field will be the number of times a potential attacker can fail to log in before cPhulk blocks his IP address. If you set this value to 0, cPhulk will block ALL login attempts (“root” included). To avoid this, we recommend whitelisting your IP address.
• Command to run When an IP Address Triggers Brute Force Protection – In this text field you may enter a specific command which will be executed, each time an IP address triggers Brute-Force Protection. Clicking on the information sign at the end of this option will open the variables that may be used in the commands below.
• Block IP Addresses at the firewall level if they trigger brute force protection – If you have a working FireWall, you can select this checkbox and relay the blocked IP address to the FireWall which will completely stop it from reaching the server.

Next, we will discuss the “One-day Blocks” section, which is located below the “IP Address-based Protection” section.

Let’s go over all the options available there.

• Maximum Failures Per IP Address before the IP Address is Blocked for One Day – This is similar to the above-mentioned option in the “IP Address-based Protection” section. The slight difference here is that IP will be blocked for 24 hours instead.
• Command to Run When an IP Address Triggers a One-Day Block – This is again analogical to the option in the “IP Address-based Protection” section. Please enter a specific command in this text field which will be executed, each time an IP address triggers Brute-Force Protection. Clicking on the information sign at the end of this option will open the variables that may be used in the commands below.
• Block IP addresses at the firewall level if they trigger a one-day block – If you have a working FireWall, you can select this checkbox and relay the blocked IP address to the FireWall which will completely block it from reaching the server.

The second to last section will be going over is the “Login History” section. The single option available there is the “Duration for Retaining Failed Login Attempts (in minutes)”.

This setting will determine how long should the system display the “The login is invalid” message when a block occurs. It will also determine the amount of time needed for an attack to reach the values defined inside the “Maximum Failures By Account” text field, the “Maximum Failures per IP Address” text field, and “Maximum Failures per IP Address before the IP Address is Blocked for One Day” text field.

The last section on this tab is the “Notifications” section. Let’s discuss the available settings there.

• Send a notification upon successful root login when the IP address is not on the whitelist – Please enable this option if you want to receive notifications whenever the root user has been logged in successfully from an IP address that is not inside the whitelist.
• Send a notification upon successful root login when the IP address is not on the whitelist, but from a known netblock – Please tick this checkbox if you want to receive notifications when the root user logs in from an IP that is not within the whitelist but exists on a known netblock.
• Send a notification when the system detects a brute force user – Checking this checkbox will cause cPhulk to send notifications whenever it detects a brute force attack.

When you are done with all the configurations in this tab, please press the “Save” button located at the bottom of the page.

The Whitelist Management Tab #

In order to access it, please click on the “Whitelist Management” sign, located on the right side of the “Configurations Settings” tab.

Once redirected on the “Whitelist Management” page, you will see a blue bar notifying you that an IP address that you whitelist will be able to freely log in anywhere on your server. This means you should be extra careful when whitelisting IP addresses here, as you may end up whitelisting an IP that aims to exploit your server.

Below that, you will find the “New Whitelist Records” section, where you can enter an IP address in order to whitelist it on the server. Underneath, you will find the “Comments” section, where you can leave a note about the IP you have just whitelisted. Here, we recommend entering something relevant, such as “This is the office IP address” if you are whitelisting your office’s IP address.

When you are done typing in the IP address meant to be whitelisted and you entered a relevant comment, please press the “Add” button on the bottom of the page.  The IP address and the comment associated with it will be then displayed on the section located on the right side of the “New Whitelist Records” section. On the right side of the comment, you will find the “Delete” and “Edit” links. 

Clicking on the “Delete” link will remove this IP address from the whitelist. If you press the “Edit” link, the system will only let you edit the comment associated with the IP.

The Blacklist Management Tab #

In order to access it, please click on the “Blacklist Management” tab, located on the right side of the “Whitelist Management” tab.

Once you are redirected there, you will see a blue bar notifying you that an IP address that you blacklist will not be able to log in anywhere on your server. This means you should be extra careful when blacklisting IP addresses here, as you may end up blacklisting an IP that you use from your home or office and that leaves you completely blocked from accessing your services.

Below that, you will find the “New Blacklist Records” section, where you can enter an IP address in order to blacklist it on the server. Underneath, you will find the “Comments” section, where you can leave a note about the IP you have just blacklisted. Here, we recommend entering something relevant, such as “This is a hacker trying to log in” if you are blacklisting an IP address. You will be able to see an IP address that you may want to block in the “History Reports” section which we will go over later in this tutorial.

When you are done entering the IP address meant to be blacklisted and you entered a relevant comment, please press the “Add” button on the bottom of the page.  The IP address and the comment associated with it will then be displayed on the section located on the right side of the “New Blacklist Records” section. On the right side of the comment, you will find the “Delete” and “Edit” links.

Clicking on the “Delete” link will remove this IP address from the blacklist. If you press the “Edit” link, the system will only let you edit the comment associated with the IP.

The Countries Management Tab #

In order to access it, please click on the “Countries Management” sign, located on the right side of the “Blacklist Management” tab.

Using this tab, you will be able to either whitelist a country, blacklist it or remove it from both lists. The whitelist option will completely allow login attempts to your server from this specific country, the blacklist will completely prevent login attempts to your server. Let’s explore the page.

When you first go there, you will notice a search bar on the top side, underneath the “Countries” heading. Below it, you will find a filter, where you can set the country list section below to display countries based on their current status which would be either “Whitelisted”, “Blacklisted” or “Not Specified”. Additionally, you will be able to display “All” the countries, regardless of their status. 

On the far left side of this list section, there will be a checkbox for every country. When checked it will allow you to use the cogwheel icon on the top right of the section to either “Whitelist”, “Blacklist” or set as “Not Specified”. Additionally, the cogwheel icon will let you select or deselect all of the countries. 

If you would like to change the status of a single country the easiest way to do it is by using the search bar and typing the desired country inside. When the country presents itself in the list section, use the radio button to select the status you want to apply for it. In this example, we searched for the “United States” and then applied the “Whitelisted” option for it. Another thing you will notice is that the row will turn green when the “Whitelisted” status is applied. If you block a country, the row will turn red.

The last tab we are going to talk about is the “History Reports” tab. 

The History Reports Tab #

You may access it by pressing the “History Reports” sign on the right side of the “Countries Management” tab. What this tab will contain is information about the failed login attempts on your server.

This is a useful tab whenever you want to add an IP address to the blacklist, as the tab will contain information about brute-force attacks and their originating IP addresses.

On the top of the tab, you will see the “Select a Report” label and on the right side, you will notice a dropdown menu. It will let you select what kind of reports you want to be displayed inside the table section on the bottom of the page.

Undeath, you will find a search bar that will let you filter the results based on pretty much anything related to the reports. For instance, you may enter the service “sshd” and it will filter the reports based on the blocks cPhulk did for Brute-Force attacks on the “sshd” service and the results will populate the table section.

Let’s discuss all of the information about the reports provided in the table list.

• User – This column will contain information about the username the attacker entered to authenticate.
• IP Address – In this column, you will find the IP address of the attacker that triggered the failed login attempts.
• Country – This column will display the country of the attacker.
• Service – This will show the service on the server the attacker attempted to brute-force. For example, if “system” is shown, this means that the attacker attempted to brute-force either cPanel, SSH, or WHM.
• Authentication Service – This column will display which service the attacker attempted the attack against.
• Login Time – This table will contain the time and date on which the cPhulk blocked the IP address.
• Expiration Time – This table will show when the block will expire.
• Minutes Remaining – The last column will show the remaining time (in minutes) until the IP address is no longer blocked.

With this, we end our tutorial on how to use the “cPHulk Brute Force Protection” feature in the WHM control panel. It is quite a mouthful and it has a lot of settings associated with it, that will allow you to control the access towards your server. If you have any questions or if you are experiencing any problems with it, please, feel free to contact our Technical Support Staff. They are reachable 24/7 through the ticking system in your Client Area.