cPHulk – is a Brute Force Protection component provided by cPANEL software. It detects multiple invalid login requests made to the server’s services and applies the blocks according to the cPHulk component settings. cPANEL provides a web-based interface to manage cPHulk settings along with an ability to manage it via the Secure Shell (SSH -> https://www.hostpapa.com/knowledgebase/connect-server-via-secure-shell-ssh/).
By default, HostPapa is loading a fully optimized configuration of the cPHulk Brute Force Protection service settings to the provisioned servers. The configuration can still be tuned/adjusted by you or by the support team (by your request).
cPHulk Brute Force Protection is a complicated component, and its functionality cannot be covered in a single article. You can check the official documentation of [ cPHulk Brute Force Protection ] component to learn more about it.
In this article, you will learn the following items:
- How to access cPHulk component
- What types of access the cPHulk component is locking down
- Configuration Settings
- Whitelist Management
- Blacklist Management
- Countries Management
- History Reports
How to access cPHulk component
The cPHulk Brute Force Protection component is available for the root users only (System Administrator user). You can access it from the root WHM control panel.
|Home » Security Center » cPHulk Brute Force Protection|
You can use the WHM control panel’s search form, located on the left side, to quickly navigate the “cPHulk Brute Force Protection” area.
What types of access the cPHulk component is locking down
If cPHulk detects too many failed login attempts coming from a single IP address, then it locks down access from that IP address to the following services:
- cPanel services
- WHM services
- Mail services (Dovecot® and Exim)
- The FTP service
- Secure Shell (SSH) access
Since the cPHulk is working with the authentication modules in cPanel, it doesn’t lock access to the website itself or the delivery of emails. It is affecting users who are attempting to login to the services listed above only. That means that if the IP address was blocked by cPHulk due to the number of the failed login attempts, then all further authentication attempts from that IP address will be rejected until the block is expired or manually removed from the IP address of the user.
This security system protects you by blocking malicious users from accessing your server/accounts by guessing your passwords (brute force attacks).
While HostPapa is uploading a fully optimized configuration of the cPHulk Brute Force Protection to your server, you may still need to adjust the configuration of the cPHulk Brute Force Protection component set up according to your needs. This can be done from Home »Security Center »cPHulk Brute Force Protection under the [Configuration Settings] tab.
Within this area, you can adjust the security settings for the following areas:
- Username-based Protection
- IP Address-based Protection
- One-day Blocks
- Login History
You can also adjust the setting of the notification preferences at the bottom of the page. Please be sure to click the [Save] button before leaving the page.
This can be accessed from the Home »Security Center »cPHulk Brute Force Protection under the [Whitelist Management] tab.
Within this area, you can perform a whitelisting of the specific IP addresses for which the cPHulk Brute Force Protection service is going to exclude its rules. The feature allows adding the comment to each whitelisted IP address and removing the IP address from the whitelist.
It is recommended that you whitelist your own WAN IP address in the cPHulk Brute Force Protection settings once you’ve reached the server first time. That should help you to avoid blocks of your own IP address while you are working on your projects.
This can be accessed from the Home »Security Center »cPHulk Brute Force Protection under the [Blacklist Management] tab.
Within this section, you can find the list of the IP addresses that are already blocked by the cPHulk Brute Force Protection and apply a manual block for the IP addresses. The feature supports the bulk blacklisting, and you can list the IP addresses (one IP address per line) that you want to block, leave the comment that contains the reason for the block, and click the [Add] button to save changes.
This can be accessed from the Home »Security Center »cPHulk Brute Force Protection under the [Countries Management] tab.
Within this selection, you can either whitelist or blacklist the entire country. You can find it useful if you are working in your local country area only. In this case, the logins from other countries could be blacklisted by default to improve your server’s security.
This can be accessed from the Home »Security Center »cPHulk Brute Force Protection under the [History Reports] tab.
This area allows you to check existing security blocks, investigate suspicious activity, as well as remove blocks, and clear the reports.
Please keep in mind that when you disable cPHulk, existing account locks will remain. Thus, it is recommended that you removed existing security blocks before deactivating the cPHulk Brute Force Protection component on your server.
If you want to find how to manage cPHulk from the command line (SSH), you can read the official cPHulk Management on the Command Line documentation.