Early this morning, I made the apparent mistake of updating all of the CPanel servers I manage to 80.0.10... and immediately after the update installed, ALL FOUR servers started bombarding me with "Excessive Number of Failed Login Attempts." And by "bombarding," I mean on the order of 30,000+ EMail messages in less than 8 hours... and there possibly would have been more, but it actually managed to push my EMail account over quota, so who knows how many were rejected (along with whatever legitimate EMails this caused me to miss).
Aside from the serious disruption this glitch is causing, almost every other aspect of the notifications themselves are ALSO completely broken. First of all, I can find no actual indication of the brute force attempts it's supposedly alerting me to - I've randomly searched for a few dozen of the IPs that the supposed brute force attempts came from, and not a SINGLE one of them is listed in the "History Reports" section under "cPHulk Brute Force Protection". And it's also sending me notifications for supposed failed login attempts from individual IPs that are already blacklisted, from /24 ranges that are already blacklisted, AND from Countries that are already blacklisted.
Unless it's COMPLETELY broken, the only explanation seems to be that it's re-sending notifications for EVERY SINGLE brute-force attempt that those servers ever received? Given that some of those servers have been in operation since 2014, that's gonna be quite a few. And suffice it to say, this does NOT inspire confidence in your QA process (if there even is one): when you're pushing out software as RELEASE/STABLE when it contains such serious, easily detectable flaws, then someone clearly didn't do their job properly.
This needs to be corrected ASAP. When can we expect that you will be releasing a fix for this issue?
Aside from the serious disruption this glitch is causing, almost every other aspect of the notifications themselves are ALSO completely broken. First of all, I can find no actual indication of the brute force attempts it's supposedly alerting me to - I've randomly searched for a few dozen of the IPs that the supposed brute force attempts came from, and not a SINGLE one of them is listed in the "History Reports" section under "cPHulk Brute Force Protection". And it's also sending me notifications for supposed failed login attempts from individual IPs that are already blacklisted, from /24 ranges that are already blacklisted, AND from Countries that are already blacklisted.
Unless it's COMPLETELY broken, the only explanation seems to be that it's re-sending notifications for EVERY SINGLE brute-force attempt that those servers ever received? Given that some of those servers have been in operation since 2014, that's gonna be quite a few. And suffice it to say, this does NOT inspire confidence in your QA process (if there even is one): when you're pushing out software as RELEASE/STABLE when it contains such serious, easily detectable flaws, then someone clearly didn't do their job properly.
This needs to be corrected ASAP. When can we expect that you will be releasing a fix for this issue?
Last edited by a moderator:
Hello @Smartypants,
Internal case CPANEL-27445 will address an issue where a change in version 80 lead to the initiation of cPHulk notifications for every login attempt from blacklisted IP addresses or blacklisted countries. I'll update this thread with more information as soon as the case is published.
In the meantime, you can browse to WHM >> Contact Manager to temporarily disable cPHulk notifications until the case is published.
Thank you.
Internal case CPANEL-27445 will address an issue where a change in version 80 lead to the initiation of cPHulk notifications for every login attempt from blacklisted IP addresses or blacklisted countries. I'll update this thread with more information as soon as the case is published.
In the meantime, you can browse to WHM >> Contact Manager to temporarily disable cPHulk notifications until the case is published.
Thank you.
Last edited:
Thanks, will keep an eye on this thread too.
Same here for me with 80.0.10. I posted here about it earlier.
In Progress - [CPANEL-27445] cPHulk Countries blacklist not working?
Same here for me with 80.0.10. I posted here about it earlier.
In Progress - [CPANEL-27445] cPHulk Countries blacklist not working?
Last edited by a moderator:
Hello,
cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix:
Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.
I'll update this thread again once version 80.0.12 enters the RELEASE tier.
Let us know if you have any questions.
Thank you.
cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix:
Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.
I'll update this thread again once version 80.0.12 enters the RELEASE tier.
Let us know if you have any questions.
Thank you.
Hi @cPanelMichael
Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs, or are you just disabling the notifications but they can still bot attempt logins after max # was reached and IP is blocked?
That seemed to be an issue in addition to the notifications.
Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs, or are you just disabling the notifications but they can still bot attempt logins after max # was reached and IP is blocked?
That seemed to be an issue in addition to the notifications.
Last edited:
Hello @tommyxv,
Let me know if you notice any additional issues.
Thanks!
The change in CPANEL-27445 relates exclusively to notifications. Notifications are no longer sent every time a login attempt fails because the user's IP address is blacklisted, or the user's IP address is part of a blacklisted country's IP space. There's no change to how failed logins are blocked or reported under WHM >> cPHulk Brute Force Protection >> History Reports.
Let me know if you notice any additional issues.
Thanks!
My Server is continuous under attack. Black list IPs, Black list countries nothing works. Server load reaches to 100+ every 5 minutes. The current version of cpanel is 80.0.11 . What should I do now ?
Hello Everyone,
cPanel & WHM version 80.0.12 is now published to the RELEASE build tier.
Thank you.