SOLVED [CPANEL-27445] cPHulk Countries blacklist not working?

tommyxv

Active Member
Jun 15, 2006
35
5
158
Looks like I am having the same issue. I upgraded from v78.x to v80.0.10 last night and it just seems cPHulk is not working at all now. I have not touched any of my cPHulk settings. I also have all countries blacklisted except US.

Getting hundreds of login failure notifications and the cPHulk History for one day blocks looks like this.

2019-05-30_7-47-47.jpg
 

tommyxv

Active Member
Jun 15, 2006
35
5
158
I just did a little test. I blocked my mobile phone IP in cPHulk and tried to login to WHM. Its giving me credentials invalid failure. I have it set to 3 max attempts. I just kept hitting login about 20 times and just got the same. I check cPHulk on my PC and there are no Failed Log Logins in the history, but 20 1 day blocks in the log and of course I got multiple "Excessive Number of Failed Login Attempts" emails for it.

cPHulk is not working like it used to before the upgrade. Hope you guys fix it soon.
 
  • Like
Reactions: edp stbc

Gadge

Registered
Oct 30, 2003
2
0
151
Buckingham UK
I also have this issue since upgrading to v80.0.9 a few days ago, and still following two more updates (now running v80.0.11) ...
 

ycki

Registered
May 31, 2019
4
1
1
Brazil
cPanel Access Level
Reseller Owner
I have 3 VPS with cPanel. Two of them started allowing login attempts to IPs from blacklist countries. This started to happen after the update from v78.x to v80.x. The third VPS failed to upgrade to v80.x.
It all happening exactly as @tommyxv and @Gadge reported, with lots of notification emails bothering my routine.
I also hope that the cPanel team can identify what happens, because the symptoms indicate the update of cPanel as the source of the problem.
 

snowpoloi

Registered
Mar 20, 2017
4
1
3
athens
cPanel Access Level
Root Administrator
I have the same problem at 2 server whith cpanel that i have....Thousand of mails!!!since i update to 80 version....Do you have any solution???...do i have to open a ticket???
 
  • Like
Reactions: ycki

tommyxv

Active Member
Jun 15, 2006
35
5
158
I updated to 80.0.12. Login attempt notifications from the blacklisted countries have stop BUT NOW, I don't get notifications for attempts from non-blacklisted countries or IPs.

Just as I suspected, this was a band aid fix and now all notifications are disabled. :rolleyes:
Come on guys. 78.0.x worked just fine. Figured out what was changed and please fix it.
 
  • Like
Reactions: ycki

ycki

Registered
May 31, 2019
4
1
1
Brazil
cPanel Access Level
Reseller Owner
When I unlocked all countries, the lock report ran again, but the blacklist IPs continue with logged attempts, when they should not even be accepted.

All notification emails indicate that there was only ONE authentication failure.
Is it just the problem of unduly triggering notification for locks that occur before the actual connection attempt?
 
Last edited by a moderator:

ycki

Registered
May 31, 2019
4
1
1
Brazil
cPanel Access Level
Reseller Owner
After much study, I am convinced - until proven otherwise - that the problem is in triggering notification even though there was a previous block before a first login attempt.
Either this login attempt was allowed and only then was a lock, which was supposed to take place before processing the user / password data.
That, for me it is a notification problem and not a security problem.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Hello,

This should be fixed in v80.0.12 per our Changelogs which can be found here: 80 Change Log - Change Logs - cPanel Documentation

  • Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.
Is anyone that has updated to 80.0.12 still experiencing the issue?

Thanks!
 

tommyxv

Active Member
Jun 15, 2006
35
5
158
Hello,

This should be fixed in v80.0.12 per our Changelogs which can be found here: 80 Change Log - Change Logs - cPanel Documentation

  • Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.
Is anyone that has updated to 80.0.12 still experiencing the issue?

Thanks!
I updated to 80.0.12. Login attempt notifications from the blacklisted countries have stop BUT NOW, I don't get notifications for attempts from non-blacklisted countries or IPs.
I'm not getting any notifications at all now even for the IPs that are not black listed. Still not fixed IMO.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Hi @tommyxv



Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!
 

blallard

Registered
Nov 27, 2014
1
0
1
cPanel Access Level
Root Administrator
I have been experiencing this same issue for the past week (only checked this forum today) ... multiple one day blocks being created (often for the same IP address) for countries that have been blacklisted. There are currently over 46,000 entries in the one day blocks list and I have received several thousand notification emails in the past 24 hours alone. I have version 80.0.13 right now.

Is there actually any fix for this issue?
 

compufixpro

Registered
Jan 17, 2013
4
0
51
cPanel Access Level
Root Administrator
I don't know if I have to open a new thread, but here I am in May of 2021 ((CENTOS 7.9 kvm [platinum] v96.0.8) I have a website with a firewall plugin that shows access from many countries that I have blocked in cPanel. Unless I misunderstood the purpose of country blocking, how do these countries access this website? See Attached. This shows country IP That is trying to login to website. I'm concerned that the GEO-LOCATION is not correct, which means there are possible USA Customers being blocked.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,686
1,511
313
cPanel Access Level
Root Administrator
Hey there, @compufixpro ! The short answer is that no country-code system is perfect - there just aren't master lists of IPs and what country they originate from, so there is a little bit of guesswork involved from the GEO location tools. If you're seeing enough false positives or false negatives to cause concern, it might be better to disable that function.