Hawk Configuration

From Wiki

Jump to: navigation, search


Web Interfaces

DNS Settings

All 1H Software use specific URLs. For this purpose you need to adjust the DNS settings for the server hostname accordingly. You need the specific sub-domain - 1h.$servername.



If the DNS zone for the server (i.e. serverdemo.com) is not managed by the server itself, but from an outside DNS server - You will need to create an A record for the 1h.$servername sub-domain name pointing to the primary IP address of the server.


serverdemo.com has IP address

You will need to create 1h.serverdemo.com which resolves to

1h.serverdemo.com IN A

Hawk Local Interface

In the given example the local interface for Hawk will be accessible at:


The Hawk local interface by default is not password protected. However, if you would like to password-protect it, we have generated a sample .htaccess file for you. The default file is located under the following path:


If you would like to password protect your software, please use the following command:

mv /home/1h/public_html/htaccess.default /home/1h/public_html/.htaccess

You will be assigned login details for your local interface. The username is admin and you can recover the password we have assigned by using the following command:

grep access_pass /usr/local/1h/etc/web.conf | cut -d = -f 2

The Hawk local interface will provide you with detailed information regarding failed login attempts and bruteforce attacks to the server. Detailed information you can find in the Hawk Local Web Interface article.

Portal Centralized Interface

The 1H Portal interface provides you with general information for all your servers with 1H Software installed on them. The 1H Portal interface is available via the following URL:


The Portal interface is also password protected. The username for the login is always admin and the password can be withdrawn running the following command on the server:

grep access_pass /usr/local/1h/etc/web.conf

You will get:


NB: You should have received an email with the needed login details for the 1H Portal at the administrative email for WHM upon finalizing the portal installation. In any case you can use the procedure described above to reclaim the password.

IMPORTANT: In order to have a server included in the Portal Centralized interface it should be added to an existing Server Group in the 1H Admin Portal. Server Groups and Servers management are explained in details in the Server Groups section. Generally all you need to do is follow these steps:

NB: Note that it will take up to 24 hours for the data in the centralized interface to be updated after you have added a new server.

The Admin Portal Web Interface for Hawk will provide you with general statistics for all servers added under Server Groups. More detailed information you can find in the Hawk Admin Portal Web Interface article.

Hawk Configuration

Configuration trough cPanel/WHM plugin

The Hawk configuration is accessible via WHM -> Plugins -> 1H Software -> Hawk configuration

Here are the options available for the Hawk configuration.


Brute Force Settings

Note that the specified number of failed login attempts should be made from the same IP address to the same service in order to count towards a brute force attempt.

Block/Unblock Settings

Note that if you choose Failed Attempts - this will disregard everything from Brute Force Settings

Once ready adjusting the settings you can click the Save Settings button.

Manual Configuration

The Hawk configuration file is /home/1h/etc/hawk.conf. It is recommended not to make changes to it manually in case you do not know what exactly you are doing and use the WHM configuration instead.

The Hawk configuration file includes the following lines (we will explain in more details each line ):


The period in seconds for which 1 bruteforce attempt can be counted.


The number of failed login attempts that should be made for the specified period in order to be counted as 1 bruteforce attempt.


The interval in which an IP address will be blocked in case a certain number of bruteforce attempts are recorded (specified below).


The number of bruteforce attempts needed for one IP address to get blocked if made during a specified interval.


Denotes whether IP addresses should be blocked on bruteforce attempts or simply after a certain number of failed login attempts. The value can be 0 or 1 - respectively blocking on brute force attempts and blocking on failed attempts.


If you have selected to block IP address upon certain number failed login attempts - this option denotes the exact failed login attempts number after which the IP address will be blocked.


The period (in seconds) that should pass prior to an IP address being removed from the block list. This denotes the period from the last recorded bruteforce or failed login attempt.

Personal tools