Configuring cPHulk in cPanel

Brute force is a hacking method (attack) that involves using an automated system to guess the password to your web server or services. cPHulk provides protection against brute force attacks. WHM / cPanel offers a service known as cPHulk Brute Force Protection which provides protection against such attacks. If several attempts are made to connect using an incorrect password, cPHulk blocks the IP address and sends a notification to the root contact on the server.

To Enable / Disable cPHulk Brute Force Protection via WHM

  1. Login to WHM.

  2. Navigate to Home -> Security Center -> cPHulk Brute Force Protection.

  3. Click the Enable button.

The below message will be displayed when cPHulk blocks your access and there are cases where you unable to login to your Webmail, cPanel, WHM.

You can configure cPHulk settings in WHM as per the image below:

To Whitelist an IP Address in cPHulk

Whitelisting through WHM

  1. Login to WHM.

  2. Navigate to Home -> Security Center -> cPHulk Brute Force Protection.

  3. Click the White/Black List Management tab.

  4. Enter the IP address in the White List (Trusted IP List) field and click Quick Add.

  5. To check login attempts, click the Login/Brute History Report tab.

  6. You can view information about unauthorized users under User and IP.

  7. Block any such users by clicking the White/Black List Management tab, entering the IP address in the Black List (Rejected IP List) field and submitting the data.

Whitelisting through MySQL Prompt

  1. Login to your server via SSH as the root user.

  2. Run the command:

    mysql
  3. cPHulk stores all the information in a database called cPHulkD. Run the command to access cPHulk database:

    use cphulkd
  4. Run the command to view the list of tables under cPHulk database:

    show tables;
  5. There are two tables, logins and brutes that are significant. The logins table stores information about login authentication failures, while the brutes table stores information about excessive authentication failures indicative of a brute force attack.

  6. Run the command to check if your IP address is listed in the brutes table:

    select * from brutes where IP = ‘x.x.x.x’;
  7. If your IP address is listed in the brutes table, run the commands to remove it:

    delete from brutes where IP = ‘x.x.x.x’;

    delete from logins where IP = ‘x.x.x.x’;

    quit