All 1H Software use specific URLs. For this purpose you need to adjust the DNS settings for the server hostname accordingly. You need the specific sub-domain - 1h.$servername.
If the DNS zone for the server (i.e. serverdemo.com) is not managed by the server itself, but from an outside DNS server - You will need to create an A record for the 1h.$servername sub-domain name pointing to the primary IP address of the server.
serverdemo.com has IP address 10.101.10.101
You will need to create 1h.serverdemo.com which resolves to 10.101.10.101:
1h.serverdemo.com IN A 10.101.10.101
Hawk Local Interface
In the given example the local interface for Hawk will be accessible at:
The Hawk local interface by default is not password protected. However, if you would like to password-protect it, we have generated a sample .htaccess file for you. The default file is located under the following path:
If you would like to password protect your software, please use the following command:
mv /home/1h/public_html/htaccess.default /home/1h/public_html/.htaccess
You will be assigned login details for your local interface. The username is admin and you can recover the password we have assigned by using the following command:
grep access_pass /usr/local/1h/etc/web.conf | cut -d = -f 2
The Hawk local interface will provide you with detailed information regarding failed login attempts and bruteforce attacks to the server. Detailed information you can find in the Hawk Local Web Interface article.
Portal Centralized Interface
The 1H Portal interface provides you with general information for all your servers with 1H Software installed on them. The 1H Portal interface is available via the following URL:
The Portal interface is also password protected. The username for the login is always admin and the password can be withdrawn running the following command on the server:
grep access_pass /usr/local/1h/etc/web.conf
You will get:
NB: You should have received an email with the needed login details for the 1H Portal at the administrative email for WHM upon finalizing the portal installation. In any case you can use the procedure described above to reclaim the password.
IMPORTANT: In order to have a server included in the Portal Centralized interface it should be added to an existing Server Group in the 1H Admin Portal. Server Groups and Servers management are explained in details in the Server Groups section. Generally all you need to do is follow these steps:
- Login to the 1H Admin Portal interface and go to Server Groups
- Double click on an existing Server Group
- Click the "Add server" button in the lower right part of the page
- Enter the server name and IP address and click "Add Server"
NB: Note that it will take up to 24 hours for the data in the centralized interface to be updated after you have added a new server.
The Admin Portal Web Interface for Hawk will provide you with general statistics for all servers added under Server Groups. More detailed information you can find in the Hawk Admin Portal Web Interface article.
Configuration trough cPanel/WHM plugin
The Hawk configuration is accessible via WHM -> Plugins -> 1H Software -> Hawk configuration
Here are the options available for the Hawk configuration.
Brute Force Settings
- Failed attempts + Failed duration indicates the number of failed login attempts that should be attempted for the specified period of time in order for them to be counted as one Brute Force attempt.
- Brute Force attempts + Brute Force interval indicates the number of brute force attempts that should be made for the specified interval in order for an IP address to get blocked.
Note that the specified number of failed login attempts should be made from the same IP address to the same service in order to count towards a brute force attempt.
- Blocked expiration indicates the exact time interval for which an IP address will remain blocked.
- Block on - This option defines whether IP addresses will be blocked after brute force attempts or simply after a certain amount of failed login attempts
Note that if you choose Failed Attempts - this will disregard everything from Brute Force Settings
- Failed count indicates the number of failed attempts needed for an IP address to be blocked. This is only active in case you have chosen Failed attempts from the "Blocks on" settings.
Once ready adjusting the settings you can click the Save Settings button.
The Hawk configuration file is /home/1h/etc/hawk.conf. It is recommended not to make changes to it manually in case you do not know what exactly you are doing and use the WHM configuration instead.
The Hawk configuration file includes the following lines (we will explain in more details each line ):
The period in seconds for which 1 bruteforce attempt can be counted.
The number of failed login attempts that should be made for the specified period in order to be counted as 1 bruteforce attempt.
The interval in which an IP address will be blocked in case a certain number of bruteforce attempts are recorded (specified below).
The number of bruteforce attempts needed for one IP address to get blocked if made during a specified interval.
Denotes whether IP addresses should be blocked on bruteforce attempts or simply after a certain number of failed login attempts. The value can be 0 or 1 - respectively blocking on brute force attempts and blocking on failed attempts.
If you have selected to block IP address upon certain number failed login attempts - this option denotes the exact failed login attempts number after which the IP address will be blocked.
The period (in seconds) that should pass prior to an IP address being removed from the block list. This denotes the period from the last recorded bruteforce or failed login attempt.