Difference between revisions of "Main Page"

From Wiki.onotech.org
Jump to: navigation, search
(CSF)
(cPHulk)
Line 64: Line 64:
 
   Main >> Security Center >> cPHulk Brute Force Protection  
 
   Main >> Security Center >> cPHulk Brute Force Protection  
  
command line
+
===command line===
 
Is it running?
 
Is it running?
 
  /usr/local/cpanel/scripts/restartsrv_cphulkd --status  
 
  /usr/local/cpanel/scripts/restartsrv_cphulkd --status  
  
blacklist an IP
+
stop and disable it
/usr/local/cpanel/scripts/cphulkdblacklist <IP>
+
/usr/local/cpanel/etc/init/stopcphulkd
 
+
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
 
 
whitelist an IP
 
/usr/local/cpanel/scripts/cphulkdwhitelist <IP>
 
 
 
 
 
List the blacklist:
 
mysql -e "use cphulkd; select IP from brutes;" |egrep ^[0-9] |sort
 
 
 
 
 
List the whitelist
 
mysql -e "use cphulkd; select IP from whitelist;" |egrep ^[0-9] |sort
 

Revision as of 18:35, 1 October 2017

MediaWiki has been installed.

Consult the User's Guide for information on using the wiki software.

Wiki

Firewalls/Blocked IPs

APF

Blacklist

vim /etc/apf/deny_hosts.rules 

Whitelist

vim /etc/apf/allow_hosts.rules 

Config file

vim /etc/apf/conf.apf 

Restart

/etc/init.d/apf restart 

Flush IP Tables

iptables -F

CSF

Use CSF to grep the current rules for an IP

csf -g ip.add.re.ss

CSF uses maxmind geoip free databass to add Geo info to the logs. You can also manually query what CSf has stored locally, from command line:

csf -i ip.add.re.ss

Blacklist

vim /etc/csf/csf.deny 

Whitelist

vim /etc/csf/csf.allow 

Restart (both CSF and LFD)

csf -ra 

Configuration

vim /etc/csf/csf.conf 

login failure log

/var/log/lfd.log 

Fun output, IP address and the LFD trigger that got it blocked:

grep "*Blocked in csf*" /var/log/lfd.log | egrep -o '( (([0-9]{1,3}\.){3})[0-9]{1,3}|\[LF_.*)' | sed -e :a -e '$!N;s/\n\[/ \t==blocked for==\> \t\[/;ta' -e 'P;D' 


looks like

118.98.66.56    ==blocked for==> [LF_SMTPAUTH]
92.38.233.191   ==blocked for==> [LF_SSHD]
104.167.104.147 ==blocked for==> [LF_SSHD]
73.179.232.255  ==blocked for==> [LF_CPANEL]
118.163.76.38   ==blocked for==> [LF_SMTPAUTH]


cPHulk

Brute Force Protection deny/allow list edited through WHM

 Main >> Security Center >> cPHulk Brute Force Protection 

command line

Is it running?

/usr/local/cpanel/scripts/restartsrv_cphulkd --status 

stop and disable it

/usr/local/cpanel/etc/init/stopcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl --disable