Wesbytes Knowledge Base

Search our articles or browse by category below

All you need to know about cPHulk

Last modified: July 2, 2022
You are here:
Estimated reading time: 2 min

All you need to know about cPHulk

Your server is protected from brute force attacks by the service known as cPHulk. An automated system is used in a brute force attack to try and guess the password to your web server or other services. cPHulk does not declare itself as the source of a block when it disables an IP address or account. Instead, the login page shows the same error message as if you were attempting to log in with the wrong access information: Login is not valid. Therefore, if you were previously able to log in using the same login information but are now receiving The login is invalid error, you probably activated the cPHulk block. cPhulk is monitoring login attempts to the following services:
    • WHM/cPanel
    • POP3/IMAP/SMTP connections including email clients and webmail
    • FTP/SFTP, WebDisk
    • SSH (cPHulk does not affect public key authentication)
cPHulk can automatically block:
    • IP addresses from which too many failed login attempts were noticed (to a single or several services at the same time)
    • accounts which are being actively abused by fail login attempts
You can issue 3 types of block:
    • Temporary block – such block will expire after a specific amount of time set in the cPHulk configuration
    • One-day block – will occur specifically for 24 hours once exceed a specific number of failed login attempts from a certain IP address
    • Permanent block – will occur after triggering several temporary blocks. Can only be lifted manually.
You can enable cPHulk in WHM > cPHulk Brute Force Protection menu:

After activation, you will be able to adjust its configuration and monitor failed login activity.

cPHulk settings

In this tab you can change limits of fail login attempts and temporary blocks duration:

Whitelist/Blacklist management

For some reason, you may want to block certain IP addresses or whitelist them in order to avoid blocking. For these purposes, you can use Whitelist/Blacklist Management tabs in the cPHulk menu:

You can whitelist/blacklist multiple IP addresses at the same time or even specify full networks in the CIDR format.

NOTE: We recommend to whitelist your own IP address in order to avoid a lockout from the server.

cPHulk logs

cPHulk provides useful blocking logs for your convenience. There you can check which IP addresses/users were blocked and for which period:

A raw explanation of the entry log shown at the screenshot above can be the following:

There were too many failed login attempts via the SMTP protocol to the [email protected] email account from some device with an external IP address 31.210.124.242. It led to a 360-minute block (such period of time is specified in the Configuration tab). The block was issued at 05:04.22 and will expire in 345 minutes from now (or specifically at 11:04:22).

With these logs, you can troubleshoot the cause of the blocks and, for example, if suspicious log entries were found, blacklist the abuser’s IP address.

In addition to cPHulk IP blocks, you can enable automated firewall IP blocks if you have installed. The firewall block will completely prohibit server access, which is the fundamental distinction between these blocks. Before allowing the automatic potential of lockout from your own server, make sure you whitelist your own IP address.

SSH can be used to control cPHulk from the command line interface as well. We also advise consulting the relevant cPanel handbook.

Was this article helpful?
Dislike 0
Views: 5