SOLVED [CPANEL-27445] cPHulk Countries blacklist not working?

[tommyxv]

Looks like I am having the same issue. I upgraded from v78.x to v80.0.10 last night and it just seems cPHulk is not working at all now. I have not touched any of my cPHulk settings. I also have all countries blacklisted except US.

Getting hundreds of login failure notifications and the cPHulk History for one day blocks looks like this.

 

[tommyxv]

I just did a little test. I blocked my mobile phone IP in cPHulk and tried to login to WHM. Its giving me credentials invalid failure. I have it set to 3 max attempts. I just kept hitting login about 20 times and just got the same. I check cPHulk on my PC and there are no Failed Log Logins in the history, but 20 1 day blocks in the log and of course I got multiple "Excessive Number of Failed Login Attempts" emails for it.

cPHulk is not working like it used to before the upgrade. Hope you guys fix it soon.

 

[Gadge]

I also have this issue since upgrading to v80.0.9 a few days ago, and still following two more updates (now running v80.0.11) ...

 

[ycki]

I have 3 VPS with cPanel. Two of them started allowing login attempts to IPs from blacklist countries. This started to happen after the update from v78.x to v80.x. The third VPS failed to upgrade to v80.x.
It all happening exactly as @tommyxv and @Gadge reported, with lots of notification emails bothering my routine.
I also hope that the cPanel team can identify what happens, because the symptoms indicate the update of cPanel as the source of the problem.

 

[snowpoloi]

I have the same problem at 2 server whith cpanel that i have....Thousand of mails!!!since i update to 80 version....Do you have any solution???...do i have to open a ticket???

 

[tommyxv]

I updated to 80.0.12. Login attempt notifications from the blacklisted countries have stop BUT NOW, I don't get notifications for attempts from non-blacklisted countries or IPs.

Just as I suspected, this was a band aid fix and now all notifications are disabled.
Come on guys. 78.0.x worked just fine. Figured out what was changed and please fix it.

 

[ycki]

When I unlocked all countries, the lock report ran again, but the blacklist IPs continue with logged attempts, when they should not even be accepted.

All notification emails indicate that there was only ONE authentication failure.
Is it just the problem of unduly triggering notification for locks that occur before the actual connection attempt?

 

[edp stbc]

Dear CPanel team,

Our VPS also experience same issue after doing update. Waiting for next proper update.

 

[ycki]

After much study, I am convinced - until proven otherwise - that the problem is in triggering notification even though there was a previous block before a first login attempt.
Either this login attempt was allowed and only then was a lock, which was supposed to take place before processing the user / password data.
That, for me it is a notification problem and not a security problem.

 

[cPanelLauren]

Hello,

This should be fixed in v80.0.12 per our Changelogs which can be found here: 80 Change Log - Change Logs - cPanel Documentation

• Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.

Is anyone that has updated to 80.0.12 still experiencing the issue?

Thanks!

 

[tommyxv]

Hello,

This should be fixed in v80.0.12 per our Changelogs which can be found here: 80 Change Log - Change Logs - cPanel Documentation

• Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.

Is anyone that has updated to 80.0.12 still experiencing the issue?

Thanks!

I updated to 80.0.12. Login attempt notifications from the blacklisted countries have stop BUT NOW, I don't get notifications for attempts from non-blacklisted countries or IPs.

I'm not getting any notifications at all now even for the IPs that are not black listed. Still not fixed IMO.

 

[cPanelLauren]

Hi @tommyxv



Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[ycki]

Update made, error apparently fixed.
Thank you staff!

 

[blallard]

I have been experiencing this same issue for the past week (only checked this forum today) ... multiple one day blocks being created (often for the same IP address) for countries that have been blacklisted. There are currently over 46,000 entries in the one day blocks list and I have received several thousand notification emails in the past 24 hours alone. I have version 80.0.13 right now.

Is there actually any fix for this issue?

 

[cPanelLauren]

Hello @blallard

This should have been resolved in v80.0.12 if it is still occurring I'd suggest opening a ticket so we can look into the issue further.

 

[DallasClarke]

Blocking countries and domains is a useless feature in cpanel, I dont understand why it is still there. It doesn't do what it says.

 

[cPRex]

@DallasClarke - can you let me know what specific issues you're seeing that tool so I can do some testing?

 

[compufixpro]

I don't know if I have to open a new thread, but here I am in May of 2021 ((CENTOS 7.9 kvm [platinum] v96.0.8) I have a website with a firewall plugin that shows access from many countries that I have blocked in cPanel. Unless I misunderstood the purpose of country blocking, how do these countries access this website? See Attached. This shows country IP That is trying to login to website. I'm concerned that the GEO-LOCATION is not correct, which means there are possible USA Customers being blocked.

 

[cPRex]

Hey there, @compufixpro ! The short answer is that no country-code system is perfect - there just aren't master lists of IPs and what country they originate from, so there is a little bit of guesswork involved from the GEO location tools. If you're seeing enough false positives or false negatives to cause concern, it might be better to disable that function.