cPhulk [ cPanel ]

Many of us might be familiar with the term Cphulk, it is a brute force security feature that comes with Cpanel. So what does Cphulk do? What is its difference between CSF/LDF?

Cphulk prevents brute force attacks on services like WHM, SSH, IMAP/POP 3. A default number of attempts to access these services are set when Cphulk is enabled via WHM control panel, we can change these values according to our wish.

So what does Cphulk actually do? Usually what does attackers do is they try permutations and combinations of usernames and passwords on these services, which is usually automated, so when a default value for the number of login attempts are set, the IP address from which or the account to which the attack is towards, gets blocked. Getting blocked means does not allow further login, which is conveyed by a deceptive message “message: The login is invalid.” which does not reveal the exact source of action.

Unlike csf/ldf it only blocks the login privilege, these ip’s can access the website, which actually is very resourceful because the traffic towards the website is not affected.

These are the functions that are possible via Cphulk

1. To blacklist or white list an entire IP range, like an ip range from a country or region around the world eg 123.0.0.0./8 which blocks an entire chunk of china preventing logins from 123.x.x.x.x range.

2. To set the time range in which the cPhulk measures the login attempts for a distinct IP,after that the IP is denied login privilege to the account(Default 5 minutes)

3. To Set the max no failed attempts within a time range to login to an Cpanel account. After that the account itself is blocked for login.(default 15)

4. IP address based restriction, as max value for failed login attempts is reached, that IP is blocked.

5. To set a command to be executed when an IP triggers a brute force attack.

6. To add an IP to the firewall rule, if the IP is blocked for one day only using Cphulk.(This will block the IP from accessing the website also)

7. To sent a “successful root login message” if the IP is not included in the white list.

Command line methods to manage Cphulk.

To check Cphulk status

ps aux | grep -i cphulk  command which will give a result like below,

root 1501 0.0 0.4 34816 5076 ? S 07:58 0:00 cPhulkd – processor

To restart cPhulk daemon.

Soft restart

/scripts/restartsrv_cphulkd

Hard Restart

/scripts/restartsrv_cphulkd --stop; /scripts/restartsrv_cphulkd --start

To disable cPhulk

/usr/local/cpanel/etc/init/stopcphulkd OR

/usr/local/cpanel/bin/cphulk_pam_ctl --disable

To remove cPhulk option from the cpanel even after restart.(removes the Cphulk touch file)

rm /var/cpanel/hulkd/enabled

To ADD IP/IP range to white list

/scripts/cphulkdwhitelist 192.168.2.20 OR

/scripts/cphulkdwhitelist 192.168.2.0/24 OR

/scripts/cphulkdwhitelist 192.168.0.0/16 OR

/scripts/cphulkdwhitelist 192.0.0.0/8

To ADD IP/IP ranges to black list

/scripts/cphulkdblacklist 192.168.2.20 OR

/scripts/cphulkdblacklist 192.168.2.0/24 OR

/scripts/cphulkdblacklist 192.168.0.0/16 OR

/scripts/cphulkdblacklist 192.0.0.0/8

Great!! that’s pretty much it. Keep your servers secure!