cphulk and host access control stopped working after upgrade?

[kjg]

Getting thousands of emails saying "Large Number of Failed Login Attempts from IP 64.185.237.173" since an hour back

The IP is added to brutes and blocked with expiration 2009-01-01, but after a while it starts all over again.

Also tried to stop the IP via host acces control (all deny) but it seems not to work either.

I don't understand this. A guess is that the db is flushed all the time making it possible for the attacker to continue.

We have the problem on the 3 servers that are upgraded to 11.24.4

cPanel 11.24.4-R32470 - WHM 11.24.2 - X 3.9
CENTOS 5.2

Any help would be very much appreciated.

[cPanelBrandonM]

Hello,
Would it be possible to get you to submit a support ticket so that we may take a look at this server? Thanks in advance.

[hlooman]

Hello, I have the exact same problem, 11K+ emails with login attempts in 2 days since the update.

Tried reconfiguring CPHulk to no avail.

Keep me informed on any progress on this.

Thanks, Hans.

[Zazoos1]

Yes, I am experiencing this SAME problem since the upgrade. Thousands upon thousands of emails... opened support ticket yesterday but so far no reply.

[cpanelnick]

Yes, I am experiencing this SAME problem since the upgrade. Thousands upon thousands of emails... opened support ticket yesterday but so far no reply.

Please post the ticket # so we can look into this.

Thanks

[headout]

We have the same problem, after the update.
cPanel 11.24.4-R32603 - WHM 11.24.2 - X 3.9
FREEBSD 6.2 i386 on standard

Users don't get blocked. The expiration time just gets renewed.

[kjg]

Update:
We posted a ticket to support and they solved it after a while.
According to them, there will be a fix in the next release.

Seems that the protection works ok, but the system keeps sending emails also after the ip is blocked.

[jack01]

The bugzilla is here:

http://bugzilla.cpanel.net/show_bug.cgi?id=8457

everyone affected please vote if you can.

[kjg]

As I said in the post above, the cpanel tech people solved it and told me:

"The issue (multiple E-Mails for a brute force attack) has been patched and will be available in revision 32707+."

I got that answer dec 30 and some 14 hours later I got the following:
"The fix is being tested and should be out in all 11.24 Builds soon."

So I guess it is on its way