How to Configure cPHulk Brute Force Protection in WHM

Introduction

Security is the cornerstone of any reliable server environment, and WHM (Web Host Manager) offers robust tools to help safeguard your infrastructure. Among its most vital security features is cPHulk Brute Force Protection—an essential line of defense designed to protect your server from relentless brute force attacks. Brute force attacks are automated attempts to gain unauthorized access by repeatedly guessing login credentials across various services. cPHulk monitors critical services such as WHM, cPanel, FTP, SSH, and mail servers (IMAP, Exim), actively blocking malicious IPs to prevent these attacks.

When cPHulk blocks an IP, that address may still reach your services, but all login attempts from it will fail, even with the correct username and password, until the IP is manually unblocked. In this guide, we’ll walk you through accessing, configuring, and managing cPHulk to maximize your server’s protection.

Accessing cPHulk Brute Force Protection in WHM

To get started, log into your WHM dashboard on your Dedicated Server. If you’re unsure how to access WHM, please refer to our detailed How to Access WHM tutorial.

• Locate the search bar on the left side of the WHM interface.
• Type “cPHulk Brute Force Protection” into the search box.
• Click the resulting link to open the cPHulk management panel.

Configuring and Managing cPHulk

Upon entering the cPHulk dashboard, you will immediately see a large toggle switch that enables or disables the entire protection system. Toggle it ON to activate brute force defense or OFF to pause protection.

• Configuration Settings
• Whitelist Management
• Blacklist Management
• Countries Management
• History Reports

By default, the Configuration Settings tab is open, and we will start there.

The Configuration Settings Tab

At the top, you’ll find the Username-based Protection section with an enable/disable toggle. Activating this feature makes cPHulk monitor login attempts based on usernames. Disabling it stops new blocks but does not remove existing ones—you will need to clear those manually.

• Brute Force Protection Period (minutes):
  Define the timeframe in minutes during which failed login attempts are tracked. For example, if a user repeatedly fails to log in during this period, cPHulk counts those failures towards triggering a lockout.
• Maximum Failures By Account:
  Set the threshold for failed login attempts per user before that account is locked. When locked, the user account is inaccessible from all IP addresses—not just the one responsible for triggering the block.
• Apply Protection to Local Addresses Only:
  Limits protection to login attempts originating from the local server, preventing local users from brute forcing other accounts on the same server.
• Apply Protection to Local and Remote Addresses:
  Extends username-based protection to all login requests, regardless of origin.
• Allow Username Protection to Lock the Root User:
  Enabling this option allows the root user account to be locked out if it exceeds failed login attempts.

Scrolling down, you will find settings for tracking login failures by IP address:

• Enable/Disable IP Address-based Protection:
  Turn this on or off with the toggle switch at the top-right of this section.
• Brute Force Protection Period (minutes):
  Specifies the time window during which cPHulk monitors failed login attempts from a specific IP.
• Maximum Failures Per IP Address:
  Determines how many failed attempts from a single IP are allowed before blocking that IP. Setting this to zero will block all login attempts, including root, so be sure to whitelist trusted IPs.
• Command to Run When IP Is Blocked:
  Enter a custom script or command to execute automatically when an IP triggers brute force protection. Click the info icon for available variables.
• Block IPs at the Firewall Level:
  If you have a firewall integrated, selecting this option will push blocked IPs directly to your firewall for immediate network-level blocking.

This section provides options to temporarily block IP addresses for a full 24 hours:

• Maximum Failures Per IP Before One-Day Block:
  Similar to the previous IP failure limit, but triggers a 24-hour block.
• Command to Run When One-Day Block Triggered:
  Enter any command you want to run upon a one-day block trigger.
• Block IPs at Firewall Level for One-Day Block:
  Enables firewall-level blocking for IPs under one-day blocks.

Here, you can control how long failed login attempts are retained and displayed:

• Duration for Retaining Failed Login Attempts (minutes):
  This controls the length of time the system remembers failed attempts and continues to display “The login is invalid” messages.

Stay informed by enabling notifications for key security events:

• Notify on Successful Root Login from Non-Whitelisted IP:
  Receive alerts when the root account logs in from an unknown IP.
• Notify on Root Login from Known Netblock but Not Whitelisted IP:
  Get notified if root logs in from an IP within a known netblock but not explicitly whitelisted.
• Notify on Brute Force Attack Detection:
  Receive alerts whenever cPHulk detects a brute force attack.

Saving Your Settings

Once you’ve customized all your preferences, don’t forget to click the Save button at the bottom of the page to apply your configurations.

The Whitelist Management Tab

To manage trusted IP addresses, navigate to the Whitelist Management tab located next to the Configuration Settings tab. On this page, you’ll see a clear warning highlighted in a blue bar: any IP address you add to the whitelist will have unrestricted login access across your entire server. Because of this elevated privilege, it’s crucial to whitelist only IPs you fully trust, as adding a malicious IP could compromise your server’s security.

Below the warning, you’ll find the New Whitelist Records section where you can enter the IP address you want to whitelist. Just beneath that, there is a Comments field—this is your opportunity to add a note or description for the IP. For example, if you are whitelisting your office IP, you might enter a comment like “Office IP Address” to keep track of its purpose. Once you’ve entered the IP and added a relevant comment, click the Add button at the bottom of the form to save it. The newly whitelisted IP and its comment will then appear in the list on the right side of the form.

From this list, you have the option to Edit or Delete entries:

• Clicking Delete will remove the IP from the whitelist immediately.
• Clicking Edit allows you to modify only the comment associated with the IP—IP addresses themselves cannot be changed here.

By carefully managing your whitelist, you help maintain strong security while allowing trusted sources seamless access to your server services.

The Blacklist Management Tab

To access this feature, simply click on the Blacklist Management tab, located immediately to the right of the Whitelist Management tab.

Upon arrival, you’ll notice a blue notification bar warning that any IP address you add to the blacklist will be completely blocked from logging into any part of your server. Because of this strict restriction, it’s essential to blacklist only those IPs you are certain should be denied access—accidentally blacklisting your own office or home IP could lock you out of your services entirely. Below this alert, you’ll find the New Blacklist Records section where you can input the IP address you wish to block. Directly underneath, there is a Comments field where you can add a brief description or reason for blacklisting the IP. For example, you might write “Repeated unauthorized login attempts” or “Suspected hacker” to keep track of why the IP was blacklisted.

If you’re unsure which IPs to blacklist, the History Reports section (which we will cover later in this guide) can help identify suspicious addresses based on login activity. Once you’ve entered the IP and a relevant comment, click the Add button at the bottom to save the entry. The IP and its note will then be listed on the right side of the form for easy reference.

From this list, you can manage entries with two options:

• Click Delete to remove the IP from the blacklist and restore its access.
• Click Edit to update only the comment associated with the IP; the IP address itself cannot be modified here.

Managing your blacklist thoughtfully helps ensure your server remains secure without inadvertently blocking legitimate users.

The Countries Management Tab

To access this feature, click on the Countries Management tab, located to the right of the Blacklist Management tab.

This section allows you to manage access by country—either whitelisting, blacklisting, or clearing countries from these lists. Whitelisting a country permits all login attempts originating from that country, while blacklisting completely blocks login attempts from it. Let’s take a closer look at the interface. At the top of the page, just below the Countries heading, you’ll find a search bar to quickly find any country. Beneath that is a filter that lets you display countries based on their current status: Whitelisted, Blacklisted, Not Specified, or All to view every country regardless of status.

Each country in the list has a checkbox on the far left. By selecting one or multiple countries, you can then use the cogwheel icon located in the top-right corner of the list to apply bulk actions—whitelist, blacklist, or set to not specified. The cogwheel also offers the convenience of selecting or deselecting all countries in the list. For changing the status of a single country, simply type the country name into the search bar. Once the country appears in the list, select the desired status using the radio buttons next to it. For example, if you search for “United States” and choose the Whitelisted option, the row will highlight green to indicate it’s whitelisted. Conversely, selecting Blacklisted will highlight the row in red.

This tab makes it easy to control login permissions on a geographic level, adding an extra layer of security to your server management. Up next, we’ll review the History Reports tab.

The The History Reports Tab

You can access this tab by clicking on the History Reports link, located to the right of the Countries Management tab. This section provides detailed information about failed login attempts on your server, making it an essential tool for monitoring potential security threats.

The History Reports tab is particularly useful when deciding whether to blacklist an IP address, as it logs data related to brute-force attacks and their sources. At the top of the page, you’ll find the Select a Report label with a dropdown menu on its right. This menu lets you choose the type of report you want to view, which will be displayed in the table below.

Just beneath the dropdown, there’s a search bar that allows you to filter the results based on various report details. For example, typing “sshd” will filter the table to show brute-force blocks related to the SSH service, making it easier to pinpoint specific attack attempts.

• User: Shows the username the attacker attempted to use during the login.
• IP Address: Displays the IP address from which the attack originated.
• Country: Indicates the attacker’s country of origin.
• Service: Lists the server service targeted in the attack—for instance, “system” covers attacks on cPanel, SSH, or WHM.
• Authentication Service: Specifies which authentication service was targeted.
• Login Time: Records the date and time when cPHulk blocked the IP address.
• Expiration Time: Shows when the block will be lifted.
• Minutes Remaining: Displays the remaining time (in minutes) until the IP address is unblocked.

This concludes our comprehensive guide on using the cPHulk Brute Force Protectionfeature within the WHM control panel. While it may seem complex at first, mastering these settings gives you powerful control over your server’s security.

If you have any questions or run into any issues, our dedicated Technical Support team is available 24/7 via the ticketing system in your Client Area. Don’t hesitate to reach out — we’re here to help!

Conclusion

The cPHulk Brute Force Protection feature in WHM is a vital security tool that helps safeguard your server against unauthorized access attempts and brute-force attacks. By effectively managing whitelists, blacklists, country restrictions, and monitoring attack history, you gain full control over who can access your services — enhancing your server’s overall security posture.

At ServerMO, we understand how important it is to keep your dedicated servers secure, which is why we recommend leveraging features like cPHulk to proactively protect your infrastructure. If you ever need assistance configuring or troubleshooting these settings, our expert support team is available around the clock to help you maintain a safe and reliable server environment.

Stay secure and let ServerMO power your hosting with confidence!