cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

cphulkd blacklist

Colin Waring shared this idea 8 years ago
Open Discussion

We continually get alerts from cphulkd about lots of different IP addresses.


Often these brute force attempts use a small number of common usernames such as support@111 (the first octet of our IP), couk, co, admin etc.


I would like cphulk to have a blacklist option where we can specify usernames that categorically should not be used to log into the server. Any hit on the list would be dropped/blocked without needing to be reported.


Doing so would cut down massively on the noise from cphulk emails and improve the usability.

Replies (7)

photo
1

This sounds like a very good idea. No more votes

photo
1

it would be easier to extend that it should send email only for valid usernames and ignore invalid username or domains, most who do not know the password do know the valid username.


also the most common actual login problem is using "office" as the username instead of the whole email and until they realize that the user is wrong it is blocked. so i would put "office" on a whitelist to not block it, as the user does not exist anyways


so a username based white/blacklist would be nice

photo
1

Thank you for this discussion. I am not recommending that it should be impossible to create accounts with any particular usernames. Rather, we'd like to be able to block certain login usernames ONLY if said usernames are not in use be account owners. On our server, no one is using admin@ domain name except would-be hackers. As owners of the server, we'd like to inform our hosted web account owners that they need to choose any other username but the ones we've blocked. I'm just asking for the option to block hackers this way. We've been blocking their IP address range, but this too can inadvertently block the wrong people.


Anyway, admin@ and info@ are not advisable to use as email addresses, because they are commonly guessed by spammers. It's as bad as using weak passwords that are easy for spammers to guess.

photo
1

I am confused as to what benefits are gained within the differing logic.


[ Current Logic ]

Login Attempt -> Invalid User -> Failed Login -> After X failed logins, cPHulkd blocks them


[ Your Proposed Logic ]

Login Attempt -> Check against list of "banned users" > Banned User Attempted -> Immediate block placed


The performance gain is negligible to say the least, and the behavior is effectively the same as setting a "1 failed login" threshold. Further, this puts significant risk that if someone makes a minor mistake and fails one login (even if you limit it to a specified list of users) that they are permanently banned from the server.


At the very least, I'd like to hear more from others on whether this is viewed as beneficial. It seems that there is significant potential for this to add to the support burden of hosting companies by adding yet another mechanism that could be the cause of a customer's login failure (customers being banned by this feature).

photo
1

I think this is a good request, not to disable creation of such usernames, but to be able to set up a list of blocked usernames in cphulk. That will immediately block any login attempts to those usernames.


I get why it would be a risk that users may be banned immediately, but I understand where OP is coming from.

I'm currently getting lots of login attempts (and I mean LOTS) to dovecot from malicious users using IP addresses all over the globe. they're always using the most stereotypical usernames (bob, agent, technical, telecom etc.) and it would be great to be able to block those attempts!

photo
1

If the user name doesn't exist than they will never be able to login. You can set csf to block ip's after x failed logins so they would be blocked. If you inform your users to never create admin and support usernames then these won't exist and peapole trying to login to these accounts will be blocked.


Not that I'm in favor of this feature request, but shouldn't it be to not allow creation of certain usernames ? In my experience dovecot once configured can handle much more requests than cphulk, so the number of requests going to dovecot isn't the real issue here.

photo
1

This is a good request. Those Ops that do not wish to use it need not use it. But those who, for example, want to block, or even pro-actively prevent the creation of, accounts using names like "admin" could do so without harm to any other WHM/CPanel customer. No hoster would have any added support burden that they did not create for themselves by making use of the option.


Directing customers to use a third-party solution like CFS is no more an answer than telling them to quit using CPHulk and use CFS or Mod_Sec instead. The entire point of WHM/CPanel is to make things easier for Ops who either do not have the skills or the desire to do all the things that CPanel does which can, after all, all be done using other existing applications. "Use CFS" seems a very odd response from CPanel given what CPanel is...

Leave a Comment
 
Attach a file