cphulk

[offline]

Can anyone tell me what cpanel hulk does? I understand what something like fail2ban does, it analayzes logs then makes entries into iptables for block someone's IP address. How do hulk work and what does it protect?

Thanks,

Chris Edwards

[cpaneldave]

cPHulk looks for logins for PAM services. Based on your configuration, it will block an IP after a specified number of failed logins from a specific IP (or for a specific account) for a specific period of time.

[offline]

Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?

[cpaneldave]

Quote:

Originally Posted by offline

Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?

It covers: cPanel, WHM, FTP, SSH, and I may be forgetting some more which I'll track down.

We intentionally allow continued login attempts as to not notify the attacker that they should start changing their strategy.

In WHM, you can see the log of blocked IPs. It's in the Security Center.

[elkram]

Here's an excerpt from my /usr/local/cpanel/logs/error_log. Is this anything to worry about?

Code:

2009-03-13 16:44:54 info [cphulkd] [31754] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 31753
2009-03-13 16:44:55 info [cphulkd] [31754] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:15:15 info [cphulkd] [7325] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 7324
2009-03-13 17:15:16 info [cphulkd] [7325] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:30:25 info [cphulkd] [9268] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 9267
2009-03-13 17:30:25 info [cphulkd] [9280] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
2009-03-13 17:30:25 info [cphulkd] [9275] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
2009-03-13 17:30:26 info [cphulkd] [9268] Lock file /root/.my.cnf.lock now gone, try to acquire
2009-03-13 17:30:26 info [cphulkd] [9280] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:30:26 info [cphulkd] [9275] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
2009-03-13 17:45:31 info [cphulkd] [10160] Waiting on invalid lock /var/cpanel/hulkdpass.lock for 60 seconds
2009-03-13 18:14:56 info [cphulkd] [16101] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 16099
2009-03-13 18:14:57 info [cphulkd] [16101] Lock file /root/.my.cnf.lock now gone, try to acquire

Plus, cPHulk never seems to add anything to its database.
Thanks.

[cpaneldave]

Looks like some file locking issues which may or not be related to a bad drive. Please send in a support request so we can take a look. Thanks!

[elkram]

Thanks, Dave. I think I need to go through my provider as I am not the cPanel licensee.

[cpaneldave]

Surely. If your provider is unable to track it down quickly, they can send it up to us.