How to Blacklist a Range of IPs in cPHulk Brute Force Attack Settings

brute-force-attacks
8,866

In the interface for cPHulk, you can wild-card with the following IPv4 address ranges (in notation used by CIDR or Classless Inter-Domain Routing):

103.26.193.* should be specified in cPHulk as: 103.26.193.0/24
103.26.*.* should be specified in cPHulk as: 103.26.0.0/16
103.*.*.* should be specified in cPHulk as: 103.0.0.0/8

This can be done at the command line or via the WHM interface.

The notation for wild-carding the IP addresses derives from the fact that an IP address is often represented as a 32-bit unsigned integer. For better human readability, we divide this into 4 8-bit bytes separated by dots (dot notation).

In the wild-card notation, the number following the slash indicates how many of the higher-order bits should be considered significant. The examples above show, in order, cases where the first 24 bits (three bytes), 16 bits (2 bytes), and 8 bits (1 byte) are considered significant.

Similar wild-carding / address block notation is specified for IPv6 as well.

If cPHulk is coded correctly, we should even be able to split one of the bytes at an arbitrary bit boundary (but I haven't tested this). The notation should support it.

For more information on the details, one can start with some of the following links:

Wikipedia: Classless Inter-Domain Routing

IPv4 Classes, Subnets, Netmasks, CIDR and NAT

Wikipedia: IP Address

Share:
8,866

Related videos on Youtube

H. Ferrence
Author by

H. Ferrence

Updated on September 18, 2022

Comments

  • H. Ferrence
    H. Ferrence almost 2 years

    Does anyone know how to define a range of IPs to blacklist in the cPHulk Brute Force attack settings?

    I am getting bombarded from IPS 103.26.193.* and 103.26.194.*

    I Googled it and cannot find specific instructions or settings on IP Ranges

    Step 1 - Entering a range with asterisk (*): enter image description here

    Step 2 - Updated the Blacklist (unsuccessfully): enter image description here

    Follow @rholmes answer below and use these settings to block Foreign Hackers:

    1.0.0.0/8
10.0.0.0/8
103.0.0.0/8
105.0.0.0/8
108.0.0.0/8
109.0.0.0/8
11.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
12.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
13.0.0.0/8
132.0.0.0/8
14.0.0.0/8
141.0.0.0/8
147.0.0.0/8
15.0.0.0/8
16.0.0.0/8
17.0.0.0/8
173.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
178.0.0.0/8
18.0.0.0/8
180.0.0.0/8
181.0.0.0/8
182.0.0.0/8
183.0.0.0/8
186.0.0.0/8
187.0.0.0/8
188.0.0.0/8
189.0.0.0/8
19.0.0.0/8
190.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
196.0.0.0/8
197.0.0.0/8
2.0.0.0/8
20.0.0.0/8
200.0.0.0/8
201.0.0.0/8
202.0.0.0/8
203.0.0.0/8
206.0.0.0/8
209.0.0.0/8
21.0.0.0/8
210.0.0.0/8
211.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
218.0.0.0/8
219.0.0.0/8
22.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
223.0.0.0/8
23.0.0.0/8
24.0.0.0/8
25.0.0.0/8
26.0.0.0/8
27.0.0.0/8
28.0.0.0/8
29.0.0.0/8
3.0.0.0/8
30.0.0.0/8
31.0.0.0/8
32.0.0.0/8
33.0.0.0/8
34.0.0.0/8
35.0.0.0/8
36.0.0.0/8
37.0.0.0/8
38.0.0.0/8
39.0.0.0/8
4.0.0.0/8
40.0.0.0/8
41.0.0.0/8
42.0.0.0/8
43.0.0.0/8
44.0.0.0/8
45.0.0.0/8
46.0.0.0/8
47.0.0.0/8
48.0.0.0/8
49.0.0.0/8
5.0.0.0/8
50.0.0.0/8
51.0.0.0/8
52.0.0.0/8
53.0.0.0/8
54.0.0.0/8
55.0.0.0/8
56.0.0.0/8
57.0.0.0/8
58.0.0.0/8
59.0.0.0/8
6.0.0.0/8
60.0.0.0/8
61.0.0.0/8
62.0.0.0/8
63.0.0.0/8
64.0.0.0/8
65.0.0.0/8
66.0.0.0/8
67.0.0.0/8
68.0.0.0/8
69.0.0.0/8
7.0.0.0/8
70.0.0.0/8
71.0.0.0/8
72.0.0.0/8
73.0.0.0/8
74.0.0.0/8
75.0.0.0/8
76.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
8.0.0.0/8
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
9.0.0.0/8
90.0.0.0/8
91.0.0.0/8
92.0.0.0/8
93.0.0.0/8
94.0.0.0/8
95.0.0.0/8
96.0.0.0/8
97.0.0.0/8
98.0.0.0/8
99.0.0.0/8

    To complete the loop on buttoning your server down, refer to my other question here --> Do cPHulk Brute Force Protection Settings Effect Hosts?

    • Admin
      Admin over 9 years
      I just want to thank you, I got a new dedicated server and I wanted to kill them all before they started. I was getting maximum failed attempts by about 20 IPs per day in the only 1.5 days I have had cPanel running. So I thought, "why don't I just block ALL countries from accessing my cpanel, except my own IP"? So I googled and found your list. Should do the trick! THANK YOU! :)
  • rholmes
    rholmes over 10 years
    This solution will work in your situation. Hope that helps!
  • H. Ferrence
    H. Ferrence over 10 years
    But it doesn't work, that's the reason for my posting the question.
  • rholmes
    rholmes over 10 years
    Hmm… It appears to work for me… Which version of WHM are you using, and how many are you trying to block? I typically use the xxx.xxx.0.0/16 style (to avoid over-blocking) but I've taken to attempting larger ranges. How is it that you're determining it doesn't work -- you still get failure attempts from the blocked IPs? Updated answer for clarity...
  • H. Ferrence
    H. Ferrence over 10 years
    WHM 11.42.0 (build 8). The reason I don't believe it works is that when I enter an IP in the box shown above in my OQ and click Save button, the IP shows. When I use wild cards the IP does not show. And the entry in not in the blacklist table in cphulkd in the mysql db on the server
  • rholmes
    rholmes over 10 years
    So, are you saying that you enter 103.26.0.0/16 in the box and after saving it shows as 103.26.nnn.nnn? If the text is changing out from under you I'd suspect perhaps a browser issue. WHM 11 seems like it's new enough. I've used this method for a while and don't have trouble - I'm kinda stumped...
  • H. Ferrence
    H. Ferrence over 10 years
    As shown in the screen shot above, I enter "103.26.193.*" in the Blocked IP's textarea box. Then I click Save button. Then nothing reappears in the Blocked IP's textarea box based on what I entered (ie, the use of the wildcard) and when I check the MySQL table there is no reference to the enter whatsoever.
  • rholmes
    rholmes over 10 years
    You should enter "103.26.193.0/24" instead. That should wild-card the last digit of the IP. To wildcard the last two, "103.26.0.0/16".
  • H. Ferrence
    H. Ferrence over 10 years
    Thanks @rholmes. I'll give it a try later today and report back and accept your answer if it works. Greatly appreciated. (I think I get it now)
  • H. Ferrence
    H. Ferrence over 10 years
    That worked @rholmes. It retained the entry based on your answer's examples. So what does "0/24", "0/16", and "0/8" represent? I was trying to use the asterisk as the wild card.
  • rholmes
    rholmes over 10 years
    I just edited the answer to provide additional background without too much detail, I hope...
  • H. Ferrence
    H. Ferrence over 10 years
    I really want to thank you @rholmes for helping me with this. I am significantly reducing hack attempts as a result of your assistance with the proper way to enter wild card IP Ranges.
  • rholmes
    rholmes over 10 years
    Glad it helped! I use it all the tim now...
  • H. Ferrence
    H. Ferrence over 10 years
    Hey @rholmes ... just had to take a moment to come back here and thank you so very much for helping me with these settings. I have gone from roughly 50 server attacks an hour (from mainly Pac Rim Countries) to ZERO / NOTHING / ZIP / NADA / ZILCH at all. It so so refreshing to know that my server is just a bit more secured. Again, thanks !
  • rholmes
    rholmes over 10 years
    I'm really glad it helped, @H. Ferrence! I'm curious, I've been blacklisting at the "103.26.0.0/16" form by default (since it's easier to click) and I don't want to blacklist my own IP (I use a very restricted form for US addresses, since I want to be able to admin at internet cafes, work, hotel, random ISP). I find I regularly get a spate of attacks from different countries, but I know that IP address ranges are not particularly deterministic (e.g., 138.x.x.x may have locations in both US and Thailand…). What's the default you're using now to reduce the attacks?
  • H. Ferrence
    H. Ferrence over 10 years
    What I have done is white-listed my IP's -- work office and home office. Those are really the only 2 I connect from. As per my hosts, I require my clients to submit their IP address to me and they understand they can only FTP into the server from that address. Then what I have done, since you helped me out with the wild card-ing technique, is I monitored the hack attempts to my server. When I saw them come in via the cPhulkd reports, I simply blocked the entire IP range.
  • H. Ferrence
    H. Ferrence over 10 years
    That's the way I have used it and it works perfectly for me and the handful of clients I have that require FTP access to my server.
  • H. Ferrence
    H. Ferrence over 10 years
    Take a look at my related S/F question where by I really shut down an attempt relatively quickly -- maybe that will help you out in some fashion. (serverfault.com/questions/570416/…)
  • rholmes
    rholmes over 10 years
    Hey thanks for the info. Left a question on the other site. Was wondering if you're using the wildcards or just the settings mentioned in your previous post.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Brute force attack with no IP to trace
SSH Brute Force Attack; Auto-Ban IP-Addresses
Too many TIME_WAIT connections on mysql from an outside host
Why isn't fail2ban blocking failures?
How to stop or prevent Postfix / smtpd / Sasl brute forcing
Prevent brute force attacks in Microsoft FTP Server (IIS6/7)
How to secure Outlook Web Access against Brute Force attack?
Check IP who is visiting my site on nginx
User account was locked out from exchange server - how to prevent in future?
How to thwart PHPMyAdmin attacks?