cphulk

**offline** · 03-12-2009 10:49 AM

Can anyone tell me what cpanel hulk does? I understand what something like fail2ban does, it analayzes logs then makes entries into iptables for block someone's IP address. How do hulk work and what does it protect?

Thanks,

Chris Edwards

**daveformerlyof** · 03-12-2009 11:36 AM

cPHulk looks for logins for PAM services. Based on your configuration, it will block an IP after a specified number of failed logins from a specific IP (or for a specific account) for a specific period of time.

**offline** · 03-13-2009 09:29 AM

Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?

**daveformerlyof** · 03-13-2009 10:41 AM

Originally Posted by offline

Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?

It covers: cPanel, WHM, FTP, SSH, and I may be forgetting some more which I'll track down.

We intentionally allow continued login attempts as to not notify the attacker that they should start changing their strategy.

In WHM, you can see the log of blocked IPs. It's in the Security Center.

**elkram** · 03-13-2009 02:36 PM

Here's an excerpt from my /usr/local/cpanel/logs/error_log. Is this anything to worry about?

Code:

2009-03-13 16:44:54 info [cphulkd] [31754] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 31753
2009-03-13 16:44:55 info [cphulkd] [31754] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:15:15 info [cphulkd] [7325] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 7324
2009-03-13 17:15:16 info [cphulkd] [7325] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:30:25 info [cphulkd] [9268] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 9267
2009-03-13 17:30:25 info [cphulkd] [9280] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
2009-03-13 17:30:25 info [cphulkd] [9275] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
2009-03-13 17:30:26 info [cphulkd] [9268] Lock file /root/.my.cnf.lock now gone, try to acquire
2009-03-13 17:30:26 info [cphulkd] [9280] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:30:26 info [cphulkd] [9275] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:45:31 info [cphulkd] [10160] Waiting on invalid lock /var/cpanel/hulkdpass.lock for 60 seconds
2009-03-13 18:14:56 info [cphulkd] [16101] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 16099
2009-03-13 18:14:57 info [cphulkd] [16101] Lock file /root/.my.cnf.lock now gone, try to acquire

Plus, cPHulk never seems to add anything to its database.
Thanks.

**daveformerlyof** · 03-13-2009 02:37 PM

Looks like some file locking issues which may or not be related to a bad drive. Please send in a support request so we can take a look. Thanks!

**elkram** · 03-13-2009 02:40 PM

Thanks, Dave. I think I need to go through my provider as I am not the cPanel licensee.

**daveformerlyof** · 03-13-2009 02:52 PM

Surely. If your provider is unable to track it down quickly, they can send it up to us.

LinkBack

Thread Tools

cphulk

cPHulk and botnet

Cphulk.

cphulk and apf

cphulk configuration

cphulk protection