Main Page
MediaWiki has been installed.
Consult the User's Guide for information on using the wiki software.
Contents
Wiki
Firewalls/Blocked IPs
APF
Blacklist
vim /etc/apf/deny_hosts.rules
Whitelist
vim /etc/apf/allow_hosts.rules
Config file
vim /etc/apf/conf.apf
Restart
/etc/init.d/apf restart
Flush IP Tables
iptables -F
CSF
Use CSF to grep the current rules for an IP
csf -g ip.add.re.ss
CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:
csf -i ip.add.re.ss
Blacklist
vim /etc/csf/csf.deny
Whitelist
vim /etc/csf/csf.allow
Restart (both CSF and LFD)
csf -ra
Configuration
vim /etc/csf/csf.conf
login failure log
/var/log/lfd.log
Fun output, IP address and the LFD trigger that got it blocked:
grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D'
looks like
118.98.66.56 ==blocked for==> [LF_SMTPAUTH] 92.38.233.191 ==blocked for==> [LF_SSHD] 104.167.104.147 ==blocked for==> [LF_SSHD] 73.179.232.255 ==blocked for==> [LF_CPANEL] 118.163.76.38 ==blocked for==> [LF_SMTPAUTH]
cPHulk
Brute Force Protection deny/allow list edited through WHM
Main >> Security Center >> cPHulk Brute Force Protection
command line
Is it running?
/usr/local/cpanel/scripts/restartsrv_cphulkd --status
blacklist an IP
/usr/local/cpanel/scripts/cphulkdblacklist <IP>
whitelist an IP
/usr/local/cpanel/scripts/cphulkdwhitelist <IP>
List the blacklist:
mysql -e "use cphulkd; select IP from brutes;" |egrep ^[0-9] |sort
List the whitelist
mysql -e "use cphulkd; select IP from whitelist;" |egrep ^[0-9] |sort