Community Forums
Connect with us on LinkedIn
Community Notice
  
+ Reply to Thread
Results 1 to 8 of 8
  1. #1
    Member
    Join Date
    Jul 2008
    Posts
    23

    Default cphulk

    Can anyone tell me what cpanel hulk does? I understand what something like fail2ban does, it analayzes logs then makes entries into iptables for block someone's IP address. How do hulk work and what does it protect?

    Thanks,

    Chris Edwards
    Chris Edwards
    Blue Dog Hosting

  2. #2
    Member
    Join Date
    Dec 2001
    Posts
    746

    Default

    cPHulk looks for logins for PAM services. Based on your configuration, it will block an IP after a specified number of failed logins from a specific IP (or for a specific account) for a specific period of time.

  3. #3
    Member
    Join Date
    Jul 2008
    Posts
    23

    Default

    Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?
    Chris Edwards
    Blue Dog Hosting

  4. #4
    Member
    Join Date
    Dec 2001
    Posts
    746

    Default

    Quote Originally Posted by offline View Post
    Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?
    It covers: cPanel, WHM, FTP, SSH, and I may be forgetting some more which I'll track down.

    We intentionally allow continued login attempts as to not notify the attacker that they should start changing their strategy.

    In WHM, you can see the log of blocked IPs. It's in the Security Center.

  5. #5
    Member
    Join Date
    Nov 2004
    Posts
    30

    Default

    Here's an excerpt from my /usr/local/cpanel/logs/error_log. Is this anything to worry about?

    Code:
    2009-03-13 16:44:54 info [cphulkd] [31754] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 31753
    2009-03-13 16:44:55 info [cphulkd] [31754] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:15:15 info [cphulkd] [7325] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 7324
    2009-03-13 17:15:16 info [cphulkd] [7325] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:30:25 info [cphulkd] [9268] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 9267
    2009-03-13 17:30:25 info [cphulkd] [9280] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
    2009-03-13 17:30:25 info [cphulkd] [9275] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
    2009-03-13 17:30:26 info [cphulkd] [9268] Lock file /root/.my.cnf.lock now gone, try to acquire
    2009-03-13 17:30:26 info [cphulkd] [9280] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:30:26 info [cphulkd] [9275] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:45:31 info [cphulkd] [10160] Waiting on invalid lock /var/cpanel/hulkdpass.lock for 60 seconds
    2009-03-13 18:14:56 info [cphulkd] [16101] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 16099
    2009-03-13 18:14:57 info [cphulkd] [16101] Lock file /root/.my.cnf.lock now gone, try to acquire
    Plus, cPHulk never seems to add anything to its database.
    Thanks.

  6. #6
    Member
    Join Date
    Dec 2001
    Posts
    746

    Default

    Looks like some file locking issues which may or not be related to a bad drive. Please send in a support request so we can take a look. Thanks!

  7. #7
    Member
    Join Date
    Nov 2004
    Posts
    30

    Default

    Thanks, Dave. I think I need to go through my provider as I am not the cPanel licensee.

  8. #8
    Member
    Join Date
    Dec 2001
    Posts
    746

    Default

    Surely. If your provider is unable to track it down quickly, they can send it up to us.

Similar Threads & Tags
Similar threads

  1. cPHulk and botnet
    By Esky in forum Security
    Replies: 2
    Last Post: 06-24-2010, 05:27 PM
  2. Cphulk.
    By 2fast in forum cPanel and WHM Discussions
    Replies: 8
    Last Post: 09-05-2009, 02:37 PM
  3. cphulk and apf
    By denisdekat09 in forum cPanel and WHM Discussions
    Replies: 1
    Last Post: 05-13-2009, 10:43 AM
  4. cphulk configuration
    By erinspice in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 09-25-2008, 08:18 PM
  5. cphulk protection
    By k1k in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 06-25-2008, 04:47 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube