cPHulk Brute Force Protection History Reports

Valid for versions 82 through the latest version

Version:

82


Overview

1. Whitelist Managament

2. Blacklist Management

3. Countries Management

4. History Reports

 

History Reports

The History Reports tab displays information about failed attempts to log in to your server.

Important:
Monitor these lists to find IP addresses and accounts to add to the blacklist.

 

Note:

cPHulk stores failed login attempts in the cphulkd database.

  • You may wish to access this database in order to identify IP addresses to add to the blacklist.

  • You may wish to clear this database in order to conserve system resources. To clear the database, click Clear Data for All Reports. This action does not clear cPHulk’s whitelist or blacklist.

To view a report, select the report type from the Select a Report menu.

Failed Logins or Blocked Users

The Failed Logins and Blocked Users reports display the following information:

  • User — The user who attempted to log in to your server.

  • IP Address — The IP address from which the user attempted to log in to your server.

Note:
The system populates this text box when it records an IP address. However, it is normal for this text box not to contain any information.
  • Service - The service on your server to which the user attempted to log in. For example:

    • system — cPanel, SSH, or WHM.

    • mail — A POP3 or IMAP email client, or Webmail.

    • ftp — Normal FTP accounts.

Note:
  • The Password Authentication Module (PAM) identifies the lack of @domain in a username to determine whether a user is a cPanel user.

  • Any attempt to log in with a username without @domain displays in cPHulk (or the cphulkd daemon) as system, regardless of which service the user attempted to log in to.

  • Authentication Service — The authentication service of the failed login attempt.

  • Login Time — The time, in 24-hour format, when cPHulk blocked the IP address.

  • Expiration Time — The time, in 24-hour format, when cPHulk will remove the block.

  • Minutes Remaining — The number of minutes that remain in the lockout period.

The system may store these login attempts if, for example, a cPanel user enters the account’s password incorrectly.

Blocked IP Addresses or One-day Blocks

The Blocked IP Addresses and One-day Blocks reports display the following information:

  • IP Address — The IP address from which the user attempted to log in to your server.

  • Comments — Information about the IP address.

    Note:
    The system populates this data when it records an IP address. However, sometimes this column does not to contain any information.

     

  • Begin Time — The time, in 24-hour format, when cPHulk blocked the IP address.

  • Expiration Time — The time, in 24-hour format, when cPHulk will remove the block.

  • Minutes Remaining — The number of minutes that remain in the lockout period.

  • Actions - Click Remove Block to manually remove the block for this IP address.

Example behavior

The following table contains variables for different hacking scenarios, and cPHulk’s response if you use the default settings:

Address Account Password Attempts Time Range cPHulk’s response
192.168.0.1 username N/A One. N/A No response.
192.168.0.1 username The same password each time. Five or more. 365 minutes. No response.
192.168.0.1 username Different passwords each time. Five to nine. Five minutes. Lock the username account for five minutes.
192.168.0.1 username Different passwords each time. Five or more. 365 minutes. No response.
192.168.0.1 username Different passwords each time. 10 to 29. Five minutes. Block 192.168.0.1 for 15 minutes.
192.168.0.1 username Different passwords each time. 30 or more. Five minutes. Block 192.168.0.1 for two weeks.
Various username N/A Five or more. Five minutes. Lock the username account for five minutes.
Various Various N/A Five or more. Five minutes. No response.
192.168.0.1 Various N/A Five to nine. Five minutes. No response.
192.168.0.1 Various N/A 10 to 29. Five minutes. Block 192.168.0.1 for 15 minutes.
192.168.0.1 Various N/A 30 or more. Five minutes. Block 192.168.0.1 for two weeks.
Note:
The settings that you choose determine cPHulk’s behavior in these scenarios.

Last modified: May 13, 2020

  • cphulk, security, password
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

cPHulk Brute Force Protection

Valid for versions 82 through the latest version Version: 82 Overview 1....

cPanel CSF Firewall Whitelist an IP Address

ConfigServer Firewall (CSF) is a powerful software firewall. It provides a graphical user...

Two-Factor Authentication for cPanel

Valid for versions 82 through the latest version Version: 82 Overview...

Manage API Tokens in WHM

Valid for versions 82 through the latest version Version: 82 Overview This...

cPHulk Brute Force Protection Whitelist Managament

Valid for versions 82 through the latest version Version: 82 Overview 1....