cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

cPHulkd to better SKIP same password attempts

phoenixweb shared this idea 4 years ago
Already Exists

As a Server Administrator, I want cPHulkd to better recognize real Brute Force Attacks.

=====================

By definition: a Brute Force Attacks is a dictionary attack that will try to guess a password of a user by try many DIFFERENT password.


But many times a cPHulkd create FALSE POSITIVE in the following case:

A) the customer change the password but miss to update it in all his devices.


  1. He's not try to guessing any password it just create a bunch of login failed with the SAME password.
  2. cPHulk blacklist the whole IP and office of the customer.
  3. the customer call our desk complaining that the server is not working


B) the customer is try to setup his mailbox but forgot to apply secure connection or forgot to apply the name of the domain to the user trying to access with "user" instead of "user@domain.tld" to his mailboxes.


  1. He's not try to guessing any password it just create a bunch of login failed with the wrong username but SAME password.
  2. cPHulk blacklist the whole IP and office of the customer.
  3. the customer call our desk complaining that the server is not working


****

This behavior CAN be fixed by storing in the cPHulk database not only the username and the IP but also the hash of the password used. By storing it, cPHulk can understand if this is a real dictionary attack or only an obsolete device that is try to access with an old password or wrong username. If there are NO DIFFERENT PASSWORD used, then could NOT BE an attack.


Please fix this. There are too many customer that call everytime they change a password or setup a new device.

And sometimes we have to clear the brute force filter that should not be cleared (mainly because there are also real brute force attempts in the meanwhile).

Best Answer
photo

This was implemented in case CPANEL-1793 (Bug: Multiple logins with the same wrong password are not collapsed) and released in v11.52.1.0

Replies (2)

photo
1

This is gonna to reduce our customers complaining!

photo
2

This was implemented in case CPANEL-1793 (Bug: Multiple logins with the same wrong password are not collapsed) and released in v11.52.1.0

Replies have been locked on this page!