Internet is a very insecure place where anytime your server can get attacked, if not secured well. A brute force attack is one such attack that tries to login to your server by repeated password guessing attempts.

While the ideal way to prevent a brute force attack is to disable access to that service totally, it is not feasible in a public web hosting server which can get access from all over the world.

It is practically impossible to manually allow or deny each IP, from the whole range of IP addresses. That’s when a brute force protection tool becomes relevant.

What is cPHulk? How does it help?

cPHulk is a commonly used brute force protection tool that detects a brute force attack to the critical login-based services in your server such as SSH, mail, control panel, FTP, etc.

When an attack is suspected, it disables the login attempts from that IP address to the server. The blocked IP can access the site, but when trying to login, it would show an error like:

 

cPHulk can block 1. IP addresses from which too many failed login attempts were noticed to the services in the server and 2. Accounts that are being actively abused by failed login attempts.

cPHulk can be enabled in cPanel servers using the ‘WHM -> Security Center -> cPHulk Brute Force Protection’ option. cPHulk has certain configuration settings, which determines the effectiveness of the protection.

If not configured with the correct parameters, these settings can either cause the protection to be ineffective in preventing the attacks or can cause valid users to be blocked unnecessarily.

See how we help web hosting companies

Recently we were contacted by a web host whose server was responding very slow. Our expert server specialist examined the server and found that the server load was very high.

On further investigation, our tech could see that the server was under brute force attack, but the cPHulk settings in the server were inefficient in blocking this attack.

Today, we’ll see the major parameters in cPHulk tool and what is the purpose served by each of them.

How to configure cPHulk settings for effective server protection

The settings for cPHulk in the Configuration file are adjusted specific to each server requirement and security level that is required. The following settings can be configured for deciding how cPHulk handles attacks.

1. IP Based Brute Force Protection Period in minutes – The time for which an IP address is blocked in the server. This should not be set to a low value, but atleast for a couple of hours or more in the case of a threat.
2. Brute Force Protection Period in minutes – This determines the time duration for login failures, in which an IP address qualifies for a block. This should not be a high value but set as few minutes, to avoid a server load.
3. Maximum Failures By Account – Account specific restriction where once an account hits this limit, the entire account will be blocked from further login attempts.
4. Maximum Failures Per IP – The number of login failures that qualifies for an IP block. Once an IP address hits this limit, that IP address will be denied further login attempts. This value should not be set too high or too low, as former can make the server susceptible to attack and latter can block valid users.
5. Maximum Failures Per IP before IP is blocked for two week period – This is a setting for a long term block for suspicious IPs. Once an IP address hits this limit, it will be blocked for two weeks.
6. Send a notification upon successful root login when the IP is not whitelisted – This setting helps to know if someone else establishes a valid root login session to your server and to take an immediate action.

 

 

The default settings in cPanel servers are often inadequate for a fool-proof protection, and many web hosts tend to overlook that, and the servers end up getting attacked.

In this particular server, the setting for ‘maximum failures per IP’ was set to a high value (20), which prevented the attacking IPs from being blocked by the cPHulk, causing the server to go under attack.

After changing the settings to effective values, the IP addresses started getting blocked and thus saved the server from an attack and made the load stable and websites more responsive.

In addition, we also optimized the web server for optimal performance and secured the server in a 360 degree manner to avoid any vulnerabilities or exploits in it.

[ Focus on your core business without interruptions. Our tech support experts are here to manage your customers 24/7. ]

At Bobcares, our 24/7 server specialists constantly monitor all the services in the server and proactively audit the server for any errors or corruption in them.

With our systematic debugging approach for service or other software errors, we have been able to provide an exciting support experience to the customers.

If you would like to know how to avoid downtime for your customers due to errors or other service failures, we would be happy to talk to you.