How to Blacklist a Range of IPs in cPHulk Brute Force Attack Settings

Question

Does anyone know how to define a range of IPs to blacklist in the cPHulk Brute Force attack settings?

I am getting bombarded from IPS 103.26.193.* and 103.26.194.*

I Googled it and cannot find specific instructions or settings on IP Ranges

Step 1 - Entering a range with asterisk (*): enter image description here

Step 2 - Updated the Blacklist (unsuccessfully): enter image description here

Follow @rholmes answer below and use these settings to block Foreign Hackers:

1.0.0.0/8
10.0.0.0/8
103.0.0.0/8
105.0.0.0/8
108.0.0.0/8
109.0.0.0/8
11.0.0.0/8
111.0.0.0/8
112.0.0.0/8
113.0.0.0/8
114.0.0.0/8
115.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
12.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
13.0.0.0/8
132.0.0.0/8
14.0.0.0/8
141.0.0.0/8
147.0.0.0/8
15.0.0.0/8
16.0.0.0/8
17.0.0.0/8
173.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
178.0.0.0/8
18.0.0.0/8
180.0.0.0/8
181.0.0.0/8
182.0.0.0/8
183.0.0.0/8
186.0.0.0/8
187.0.0.0/8
188.0.0.0/8
189.0.0.0/8
19.0.0.0/8
190.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
196.0.0.0/8
197.0.0.0/8
2.0.0.0/8
20.0.0.0/8
200.0.0.0/8
201.0.0.0/8
202.0.0.0/8
203.0.0.0/8
206.0.0.0/8
209.0.0.0/8
21.0.0.0/8
210.0.0.0/8
211.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
218.0.0.0/8
219.0.0.0/8
22.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
223.0.0.0/8
23.0.0.0/8
24.0.0.0/8
25.0.0.0/8
26.0.0.0/8
27.0.0.0/8
28.0.0.0/8
29.0.0.0/8
3.0.0.0/8
30.0.0.0/8
31.0.0.0/8
32.0.0.0/8
33.0.0.0/8
34.0.0.0/8
35.0.0.0/8
36.0.0.0/8
37.0.0.0/8
38.0.0.0/8
39.0.0.0/8
4.0.0.0/8
40.0.0.0/8
41.0.0.0/8
42.0.0.0/8
43.0.0.0/8
44.0.0.0/8
45.0.0.0/8
46.0.0.0/8
47.0.0.0/8
48.0.0.0/8
49.0.0.0/8
5.0.0.0/8
50.0.0.0/8
51.0.0.0/8
52.0.0.0/8
53.0.0.0/8
54.0.0.0/8
55.0.0.0/8
56.0.0.0/8
57.0.0.0/8
58.0.0.0/8
59.0.0.0/8
6.0.0.0/8
60.0.0.0/8
61.0.0.0/8
62.0.0.0/8
63.0.0.0/8
64.0.0.0/8
65.0.0.0/8
66.0.0.0/8
67.0.0.0/8
68.0.0.0/8
69.0.0.0/8
7.0.0.0/8
70.0.0.0/8
71.0.0.0/8
72.0.0.0/8
73.0.0.0/8
74.0.0.0/8
75.0.0.0/8
76.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
8.0.0.0/8
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
9.0.0.0/8
90.0.0.0/8
91.0.0.0/8
92.0.0.0/8
93.0.0.0/8
94.0.0.0/8
95.0.0.0/8
96.0.0.0/8
97.0.0.0/8
98.0.0.0/8
99.0.0.0/8

To complete the loop on buttoning your server down, refer to my other question here --> Do cPHulk Brute Force Protection Settings Effect Hosts?

I just want to thank you, I got a new dedicated server and I wanted to kill them all before they started. I was getting maximum failed attempts by about 20 IPs per day in the only 1.5 days I have had cPanel running. So I thought, "why don't I just block ALL countries from accessing my cpanel, except my own IP"? So I googled and found your list. Should do the trick! THANK YOU! :) — , Oct 26 '14 at 17:39

rholmes · Accepted Answer · 2014-02-18T21:38:54.900

6

In the interface for cPHulk, you can wild-card with the following IPv4 address ranges (in notation used by CIDR or Classless Inter-Domain Routing):

103.26.193.* should be specified in cPHulk as: 103.26.193.0/24
103.26.*.* should be specified in cPHulk as: 103.26.0.0/16
103.*.*.* should be specified in cPHulk as: 103.0.0.0/8

This can be done at the command line or via the WHM interface.

The notation for wild-carding the IP addresses derives from the fact that an IP address is often represented as a 32-bit unsigned integer. For better human readability, we divide this into 4 8-bit bytes separated by dots (dot notation).

In the wild-card notation, the number following the slash indicates how many of the higher-order bits should be considered significant. The examples above show, in order, cases where the first 24 bits (three bytes), 16 bits (2 bytes), and 8 bits (1 byte) are considered significant.

Similar wild-carding / address block notation is specified for IPv6 as well.

If cPHulk is coded correctly, we should even be able to split one of the bytes at an arbitrary bit boundary (but I haven't tested this). The notation should support it.

For more information on the details, one can start with some of the following links:

Wikipedia: Classless Inter-Domain Routing

IPv4 Classes, Subnets, Netmasks, CIDR and NAT

Wikipedia: IP Address

edited Feb 18 '14 at 21:38

answered Feb 13 '14 at 14:37

rholmes

246
2
10

Thanks @rholmes...see my amended OQ where I posted screen shots. Interface is cPanel/WHM itself. – H. Ferrence Feb 13 '14 at 17:48
1

This solution will work in your situation. Hope that helps! – rholmes Feb 16 '14 at 22:25
But it doesn't work, that's the reason for my posting the question. – H. Ferrence Feb 17 '14 at 02:03
1

Hmm… It appears to work for me… Which version of WHM are you using, and how many are you trying to block? I typically use the xxx.xxx.0.0/16 style (to avoid over-blocking) but I've taken to attempting larger ranges. How is it that you're determining it doesn't work -- you still get failure attempts from the blocked IPs? Updated answer for clarity... – rholmes Feb 17 '14 at 03:54
WHM 11.42.0 (build 8). The reason I don't believe it works is that when I enter an IP in the box shown above in my OQ and click Save button, the IP shows. When I use wild cards the IP does not show. And the entry in not in the blacklist table in cphulkd in the mysql db on the server – H. Ferrence Feb 17 '14 at 11:12
So, are you saying that you enter 103.26.0.0/16 in the box and after saving it shows as 103.26.nnn.nnn? If the text is changing out from under you I'd suspect perhaps a browser issue. WHM 11 seems like it's new enough. I've used this method for a while and don't have trouble - I'm kinda stumped... – rholmes Feb 18 '14 at 05:00
As shown in the screen shot above, I enter "103.26.193.*" in the Blocked IP's textarea box. Then I click Save button. Then nothing reappears in the Blocked IP's textarea box based on what I entered (ie, the use of the wildcard) and when I check the MySQL table there is no reference to the enter whatsoever. – H. Ferrence Feb 18 '14 at 12:39
1

You should enter "103.26.193.0/24" instead. That should wild-card the last digit of the IP. To wildcard the last two, "103.26.0.0/16". – rholmes Feb 18 '14 at 13:01
Thanks @rholmes. I'll give it a try later today and report back and accept your answer if it works. Greatly appreciated. (I think I get it now) – H. Ferrence Feb 18 '14 at 16:50
That worked @rholmes. It retained the entry based on your answer's examples. So what does "0/24", "0/16", and "0/8" represent? I was trying to use the asterisk as the wild card. – H. Ferrence Feb 18 '14 at 17:05
1

I just edited the answer to provide additional background without too much detail, I hope... – rholmes Feb 18 '14 at 21:39
I really want to thank you @rholmes for helping me with this. I am significantly reducing hack attempts as a result of your assistance with the proper way to enter _wild card_ IP Ranges. – H. Ferrence Feb 19 '14 at 14:33
Glad it helped! I use it all the tim now... – rholmes Feb 19 '14 at 20:10
Hey @rholmes ... just had to take a moment to come back here and thank you so very much for helping me with these settings. I have gone from roughly 50 server attacks an hour (from mainly Pac Rim Countries) to ZERO / NOTHING / ZIP / NADA / ZILCH at all. It so so refreshing to know that my server is just a bit more secured. Again, thanks ! – H. Ferrence Feb 27 '14 at 13:39
I'm really glad it helped, @H. Ferrence! I'm curious, I've been blacklisting at the "103.26.0.0/16" form by default (since it's easier to click) and I don't want to blacklist my own IP (I use a very restricted form for US addresses, since I want to be able to admin at internet cafes, work, hotel, random ISP). I find I regularly get a spate of attacks from different countries, but I know that IP address ranges are not particularly deterministic (e.g., 138.x.x.x may have locations in both US and Thailand…). What's the default you're using now to reduce the attacks? – rholmes Feb 27 '14 at 14:20
What I have done is white-listed my IP's -- work office and home office. Those are really the only 2 I connect from. As per my hosts, I require my clients to submit their IP address to me and they understand they can only FTP into the server from that address. Then what I have done, since you helped me out with the wild card-ing technique, is I monitored the hack attempts to my server. When I saw them come in via the cPhulkd reports, I simply blocked the entire IP range. – H. Ferrence Feb 27 '14 at 14:35
That's the way I have used it and it works perfectly for me and the handful of clients I have that require FTP access to my server. – H. Ferrence Feb 27 '14 at 14:36
Take a look at my related S/F question where by I really shut down an attempt relatively quickly -- maybe that will help you out in some fashion. (http://serverfault.com/questions/570416/do-cphulk-brute-force-protection-settings-effect-hosts) – H. Ferrence Feb 27 '14 at 14:37
Hey thanks for the info. Left a question on the other site. Was wondering if you're using the wildcards or just the settings mentioned in your previous post. – rholmes Mar 02 '14 at 02:58

How to Blacklist a Range of IPs in cPHulk Brute Force Attack Settings

1 Answers1

Linked