Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [CPANEL-27445] Excessive cPHulk notifications for blacklisted IPs and Countries

Discussion in 'Security' started by tommyxv, May 29, 2019.

  1. tommyxv

    tommyxv Member

    Joined:
    Jun 15, 2006
    Messages:
    15
    Likes Received:
    4
    Trophy Points:
    153
    Updated to v80.0.10 tonight. After the updated, I started getting brute force attempts from countries that I already had blacklisted. I did not change any of my cPHulk BFP setting.

    Any ideas?
     
  2. tommyxv

    tommyxv Member

    Joined:
    Jun 15, 2006
    Messages:
    15
    Likes Received:
    4
    Trophy Points:
    153
    The failed logins are not even showing in History Reports either. Only when I filter to one day blocks they show.
     
  3. Smartypants

    Smartypants Member

    Joined:
    May 1, 2015
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Early this morning, I made the apparent mistake of updating all of the CPanel servers I manage to 80.0.10... and immediately after the update installed, ALL FOUR servers started bombarding me with "Excessive Number of Failed Login Attempts." And by "bombarding," I mean on the order of 30,000+ EMail messages in less than 8 hours... and there possibly would have been more, but it actually managed to push my EMail account over quota, so who knows how many were rejected (along with whatever legitimate EMails this caused me to miss).

    Aside from the serious disruption this glitch is causing, almost every other aspect of the notifications themselves are ALSO completely broken. First of all, I can find no actual indication of the brute force attempts it's supposedly alerting me to - I've randomly searched for a few dozen of the IPs that the supposed brute force attempts came from, and not a SINGLE one of them is listed in the "History Reports" section under "cPHulk Brute Force Protection". And it's also sending me notifications for supposed failed login attempts from individual IPs that are already blacklisted, from /24 ranges that are already blacklisted, AND from Countries that are already blacklisted.

    Unless it's COMPLETELY broken, the only explanation seems to be that it's re-sending notifications for EVERY SINGLE brute-force attempt that those servers ever received? Given that some of those servers have been in operation since 2014, that's gonna be quite a few. And suffice it to say, this does NOT inspire confidence in your QA process (if there even is one): when you're pushing out software as RELEASE/STABLE when it contains such serious, easily detectable flaws, then someone clearly didn't do their job properly.

    This needs to be corrected ASAP. When can we expect that you will be releasing a fix for this issue?
     
    #3 Smartypants, May 30, 2019
    Last edited by a moderator: May 31, 2019
    tommyxv likes this.
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Smartypants,

    Internal case CPANEL-27445 will address an issue where a change in version 80 lead to the initiation of cPHulk notifications for every login attempt from blacklisted IP addresses or blacklisted countries. I'll update this thread with more information as soon as the case is published.

    In the meantime, you can browse to WHM >> Contact Manager to temporarily disable cPHulk notifications until the case is published.

    Thank you.
     
    #4 cPanelMichael, May 30, 2019
    Last edited: May 31, 2019
  5. tommyxv

    tommyxv Member

    Joined:
    Jun 15, 2006
    Messages:
    15
    Likes Received:
    4
    Trophy Points:
    153
    #5 tommyxv, May 30, 2019
    Last edited by a moderator: May 31, 2019
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix:

    Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.

    I'll update this thread again once version 80.0.12 enters the RELEASE tier.

    Let us know if you have any questions.

    Thank you.
     
    tommyxv likes this.
  7. tommyxv

    tommyxv Member

    Joined:
    Jun 15, 2006
    Messages:
    15
    Likes Received:
    4
    Trophy Points:
    153
    Hi @cPanelMichael

    Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs, or are you just disabling the notifications but they can still bot attempt logins after max # was reached and IP is blocked?

    That seemed to be an issue in addition to the notifications.
     
    #7 tommyxv, May 30, 2019
    Last edited: May 31, 2019
    edp stbc likes this.
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @tommyxv,

    The change in CPANEL-27445 relates exclusively to notifications. Notifications are no longer sent every time a login attempt fails because the user's IP address is blacklisted, or the user's IP address is part of a blacklisted country's IP space. There's no change to how failed logins are blocked or reported under WHM >> cPHulk Brute Force Protection >> History Reports.

    Let me know if you notice any additional issues.

    Thanks!
     
  9. Shahbaz Ahmed

    Shahbaz Ahmed Registered

    Joined:
    Jan 22, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    My Server is continuous under attack. Black list IPs, Black list countries nothing works. Server load reaches to 100+ every 5 minutes. The current version of cpanel is 80.0.11 . What should I do now ?
     
  10. Shahbaz Ahmed

    Shahbaz Ahmed Registered

    Joined:
    Jan 22, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Pakistan
    cPanel Access Level:
    Root Administrator
    Ok, I have manually updated to 80.0.12 and it fixed the issue.
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    cPanel & WHM version 80.0.12 is now published to the RELEASE build tier.

    Thank you.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice