SOLVED [CPANEL-27445] Excessive cPHulk notifications for blacklisted IPs and Countries

tommyxv

Member
Jun 15, 2006
15
4
153
Updated to v80.0.10 tonight. After the updated, I started getting brute force attempts from countries that I already had blacklisted. I did not change any of my cPHulk BFP setting.

Any ideas?
 

tommyxv

Member
Jun 15, 2006
15
4
153
The failed logins are not even showing in History Reports either. Only when I filter to one day blocks they show.
 

Smartypants

Member
May 1, 2015
23
1
3
cPanel Access Level
Root Administrator
Early this morning, I made the apparent mistake of updating all of the CPanel servers I manage to 80.0.10... and immediately after the update installed, ALL FOUR servers started bombarding me with "Excessive Number of Failed Login Attempts." And by "bombarding," I mean on the order of 30,000+ EMail messages in less than 8 hours... and there possibly would have been more, but it actually managed to push my EMail account over quota, so who knows how many were rejected (along with whatever legitimate EMails this caused me to miss).

Aside from the serious disruption this glitch is causing, almost every other aspect of the notifications themselves are ALSO completely broken. First of all, I can find no actual indication of the brute force attempts it's supposedly alerting me to - I've randomly searched for a few dozen of the IPs that the supposed brute force attempts came from, and not a SINGLE one of them is listed in the "History Reports" section under "cPHulk Brute Force Protection". And it's also sending me notifications for supposed failed login attempts from individual IPs that are already blacklisted, from /24 ranges that are already blacklisted, AND from Countries that are already blacklisted.

Unless it's COMPLETELY broken, the only explanation seems to be that it's re-sending notifications for EVERY SINGLE brute-force attempt that those servers ever received? Given that some of those servers have been in operation since 2014, that's gonna be quite a few. And suffice it to say, this does NOT inspire confidence in your QA process (if there even is one): when you're pushing out software as RELEASE/STABLE when it contains such serious, easily detectable flaws, then someone clearly didn't do their job properly.

This needs to be corrected ASAP. When can we expect that you will be releasing a fix for this issue?
 
Last edited by a moderator:
  • Like
Reactions: tommyxv

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @Smartypants,

Internal case CPANEL-27445 will address an issue where a change in version 80 lead to the initiation of cPHulk notifications for every login attempt from blacklisted IP addresses or blacklisted countries. I'll update this thread with more information as soon as the case is published.

In the meantime, you can browse to WHM >> Contact Manager to temporarily disable cPHulk notifications until the case is published.

Thank you.
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix:

Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.

I'll update this thread again once version 80.0.12 enters the RELEASE tier.

Let us know if you have any questions.

Thank you.
 
  • Like
Reactions: tommyxv

tommyxv

Member
Jun 15, 2006
15
4
153
Hi @cPanelMichael

Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs, or are you just disabling the notifications but they can still bot attempt logins after max # was reached and IP is blocked?

That seemed to be an issue in addition to the notifications.
 
Last edited:
  • Like
Reactions: edp stbc

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @tommyxv,

Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs
The change in CPANEL-27445 relates exclusively to notifications. Notifications are no longer sent every time a login attempt fails because the user's IP address is blacklisted, or the user's IP address is part of a blacklisted country's IP space. There's no change to how failed logins are blocked or reported under WHM >> cPHulk Brute Force Protection >> History Reports.

Let me know if you notice any additional issues.

Thanks!
 

Shahbaz Ahmed

Registered
Jan 22, 2018
4
0
1
Pakistan
cPanel Access Level
Root Administrator
My Server is continuous under attack. Black list IPs, Black list countries nothing works. Server load reaches to 100+ every 5 minutes. The current version of cpanel is 80.0.11 . What should I do now ?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix:

Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.

I'll update this thread again once version 80.0.12 enters the RELEASE tier.
Hello Everyone,

cPanel & WHM version 80.0.12 is now published to the RELEASE build tier.

Thank you.