Tuesday, August 7, 2012

Securing your server against brute force attacks with cPHulk in cPanel / WHM

A Brute Force attack is an automated attack where a program or system try to guess your password by trying all the possible combinations. Although you can have a very complicated password that consist of alphanumerical value and symbols, it's still possible to eventually crack it, specially if several synchronized systems are attempting to crack your password.

cPHulk provides a security defense against Brute Force attacks for FTP, cPanel/WHM and SSH.
When an automated program attempts to crack the password several times and fails, cPHulk will ban their IP for 2 weeks.

Enabling cPHulk

To enable cPHulk, go to WHM (port 2087 by default: yourServerIp:2087), and click on Enable to enable cPHulk.

Enable cPHulk

After enabling cPHulk, it's time to configure it.

Configuration Settings

cPHulk Configuration

IP Based Brute Force Protection Period in minutes:

This option will block an IP that has reached the failure limit for the defined number of minutes (10 minutes in the above screenshot).

Brute Force Protection Period in minutes:

This option is used for a single account, (for example: Root, Account1, John). When the defined number of failures has been reached for a specific account, cPHulk will lock that account, and no one will be able to login into that account for the defined number of minutes (5 minutes in the above screenshot).

Maximum Failures By Account:

This option is related to the previous one (Brute Force Protection Period in minutes:), in this option we define how many logging in failure attempts can be made before the account is locked.

Maximum Failures Per IP:

This option is related to the first one (IP Based Brute Force Protection Period in minutes:), in this option we define the maximum failures per IP before that IP is banned for a specific amount of minutes (10 minutes in the first option in the above screenshot).

Maximum Failures Per IP before IP is blocked for two week period:

If a specific IP attempts to login and fail for 25 times (in our screenshot), even if this IP was locked previously, it will be banned for 2 weeks.

Send a notification upon successful root login when the IP is not whitelisted:

This option is useful to keep track on who is logging on to the server and when. You will only be notified when an IP that is not whit listed login. You can white-list an IP in the "White/Black List Management" section/Tab. This option is not very useful if you are behind a dynamic IP, and whitelisting your IP might not always help since your IP will be changing constantly.

Extend account lockout time upon additional authentication failures:

This is very useful if the same account is being attacked by multiple IP addresses. Usually, the attacks made are by vunlerable servers that have been compromised and turned into a bot. when this bot find a weakness into a server and crack its password, the cracked server will in turn be turned into a bot and eventually many bots will attempt to attack your server at once by trying a different combinations of accounts and passwords.

Send notification when brute force user is detected:

When enabled, you will receive a notification about a detected brute force attack. Usually many brute force attacks are detected in a single day, so if you don't mind receiving many emails per day, you can turn this option on.

White/Black List Management

cPHulk White Black List Management
Blacklisting and whitelisting an IP is a simple procedure. Simply write the IP you want to blacklist or whitelist and click on Quick Add. Alternatively, if you wish to add a big list or edit your current list, just click on "Edit Whitelist" or "Edit Blacklist".

Login/Brute History Report

cPHulk Login/Brute History Report

 This is a screenshot of 25 failed login attempts and the random account names that they were used.

cPHulk can provide a high amount of security against brute force attacks from users and bots, and is very easy to enable and configure.

If you would like to add more security to your server, you can always use CSF/LFD combination. I will be talking about CSF/LFD in a future post.

If you have any tips, suggestions or questions, please leave your comment below!


  1. Thanks for this article. I was really confused about the first four options, and couldn't under even from WHM docs.

  2. how is the max number of ip that we can block on blacklist??

  3. Excellent explanation for each feature. Thank you. WHM docs should be updated with this info.