[Need Review and Compare] Auto Unblock IP Tool for WHMCS

UpReseller

I really want to save times for our customers, so I decide to buy a few whmcs addons. Now it's time to choose Auto unblock ip address for WHMCS.

Any suggest?

I found it: http://www.autounblock.com/FullFeatureslist.php, but I have never use it. Any recommend?

jarland

I just can't see spending $49 on something that easy to do on your own, and I don't know that I'd want clients being able to remove IPs from my block list. They shouldn't be in it anyway.

fly

when would you see a situation where you would want auto unblock ip address instead of manually reviewing each case?

HC_Ro

You want to use this to remove cphulk bans?

MrAndroid

Useless.

Randy

you are wasting money 49 is alot

MrAndroid

@Randy said: you are wasting money 49 is alot

Its a lot for a stupid plugin.

UpReseller

I think this is not bad idea. I already seen it before with PacificHost. It saves time for our customers, because they don't need to ask for support to unblock their ips when did wrong password.

MrAndroid

You already can set the ban length.

UpReseller

@MrLadoodle: This is a plugin which connects to server, not by WHMCS unblock tool. :)

NickM

Doesn't that completely defeat the purpose of having a limit on wrong passwords? If you can just unblock yourself, it's not going to stop a brute force attack...

Maounique

Actually, a brute force attack is likely to be automated, this means if the IP is blocked the robot wont go to unblock it because it doesnt even know the IP of the panel. The user needs to login to the panel to do that. M

jarland

So one client can try to brute force another client to their heart's content. I guess if you trust your clients, including the ones you don't have yet...

Maounique

Dont think so, they will have to have the credentials to login to the panel. M

jarland

It allows users to unblock an IP of their choice from csf via whmcs. So the client becomes immune to the firewall settings. Question is...do clients deserve this blanket privilege. If one client is trying to attack another client, they now have the freedom to brute force, with a minor inconvenience in the way. I guess if you give it out sparingly it could be a time saver, if you have a legit client who is bad at remembering passwords and doesn't use a static IP that you can just white list.

jclarke

UnBlockMe recently went free and open source, you can get it from here: http://code.google.com/p/franksworld/downloads/detail?name=unblockme-2.0.zip&can=2&q=

I took this version and completely rewrote it into a new free open source version, which you can get here: http://projects.serverping.net/projects/unblockip/wiki

In my version you can set how many times a user can perform an unblock in a given time period to help prevent someone from using the tool to get around the brute force protection.

Corey

I wouldn't use this simply because if a client gets locked out we have no issue with them opening a support ticket. They shouldn't be getting locked out though. This tool just creates a way for fraud people to try and brute things. Much like @Jarland said we can just white list clients that are bad at typing or remembering their passwords.

jclarke

With UnBlockIP, you can configure it only allow a client to issue one or two unblock requests every 24 hours for example, then it would be really difficult for someone to use this for a brute force attack but still be useful for a client who accidentally locked themselves out.

I know with our shared hosting this happens rather frequently. Now after we unblock the IP for the client, we give them instructions on how to check and remove the IP block if it happens again. If we don't have their IP information we can also just direct them to this feature in our portal since it will fill in their current ip address automatically.

Corey

@jclarke how would you not have their ip information? I still think whitelisting is a better option. Less hastle and worry.

jclarke

If they send an email to our helpdesk instead of submitting via our web interface Kayako doesn't always give us the IP address of the end user.

I would think whitelisting would be greater security risk, since that user could now brute force attack the server if they wanted to.

Corey

@jclarke yea but when they signup you have their IP right? :)

As far as a user brute forcing once whitelisted - sounds ludacris... but even then you should be able to stop them before they get anything useful.