cPanel User Blocked From API Calls

[CanadaGuy]

I've been implementing a small application that uses cPanel API 2. Apparently, in my learning to authenticate and make API calls, I triggered some kind of login ban. The following is an excerpt from /usr/local/cpanel/logs/login_log:

info [cpaneld] 1.2.3.4 - cpaneluser "GET *long URL* HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password

Can anyone tell me how to unblock "cpaneluser" so that they can authenticate for API calls? I've looked all around the WHM interface and can't find any way to unblock.

 

[rpvw]

I suspect that the IP was blocked by the cPHulk service.

The block will very likely only be for a few minutes if you are using the default configuration.

You can unblock it in WHM by going to Security Center > cPHulk Brute Force Protection > History Reports and checking the Reports (select a report) to find which block your user/IP is in, and clicking on the corresponding Remove Block link

You may also want to add YOUR IP to the whitelist management tab to prevent you getting blocked yourself, especially whilst testing

See cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation for full details.

 

[CanadaGuy]

I suspect that the IP was blocked by the cPHulk service.

The block will very likely only be for a few minutes if you are using the default configuration.

You can unblock it in WHM by going to Security Center > cPHulk Brute Force Protection > History Reports and checking the Reports (select a report) to find which block your user/IP is in, and clicking on the corresponding Remove Block link

You may also want to add YOUR IP to the whitelist management tab to prevent you getting blocked yourself, especially whilst testing

See cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation for full details.

Hmm, I'll try that documentation. I tried clearing blocks last night and this morning to no effect. Under the same IP and host configruatcon it works under a different cPanel user, so I don't think it is IP based.

 

[rpvw]

cPHulk also blocks by user (or IP, and can also set a one-day block on IPs if they repeat offend) - so make sure you check all the blocked lists when you are trying to unblock.

 

[CanadaGuy]

cPHulk also blocks by user (or IP, and can also set a one-day block on IPs if they repeat offend) - so make sure you check all the blocked lists when you are trying to unblock.

The user account does show up in the block history, and can see it when I try an API request with that user account. Clear the history, and try again and it shows up immediately. Disabling cPHulk doesn't seem to have an effect, it stays blocked. I can't see the account listed anywhere.

I'll try digging through the cPHulk documentation to see what else I can find...

Any other ideas?

 

[CanadaGuy]

Disabling cPHulk does not allow the user in either, so wouldn't that indicate that cPHulk is not doing the blocking?

After some more poking, I finally understood the "reports" to view. All lists are empty: Blocked Users, Blocked IP Addresses, and One Day Blocks except for Failed Logins...I can clear that, but the username is still blocked it appears.

 

[rpvw]

If you had clicked the blue "Remove Blocks and Clear Reports" button, and then disabled cPHulk, I would have expected the user to be able to log in again.

I don't know of any other native systems in cPanel that would block a user. I can only assume there is something about the API login you are using for that user, that has an issue.

Can the user log in normally ?
Have you installed any other security software like CSF/LFD ?

 

[CanadaGuy]

Can the user log in normally ?
Have you installed any other security software like CSF/LFD ?

Yes, the user can login to the regular cPanel interface no problem. And yes, my bad, I should have mentioned I have CSF/LFD installed and working. I see the request show up in CSF - Watch System Logs - /var/log/lfd.log:

Sep 30 13:54:18 servername lfd[1403]: Failed cPanel login from server.ip.was.here - ignored

The reason the server IP is there, is because the script is being called from the server itself. But again as I said, another user in the same configuration can login fine so it doesn't seem like an IP block...I'll keep digging.

 

[rpvw]

Have you had a look at this page: Guide to Testing Custom Code - API Authentication - Developer Documentation - cPanel Documentation

You might want to flush any firewall bans and disable CSF/LFD and test again - it should only take a few seconds and if it still doesn't work, at lease you will have eliminated something else.

 

[CanadaGuy]

Have you had a look at this page: Guide to Testing Custom Code - API Authentication - Developer Documentation - cPanel Documentation

I have looked at that, but I'll try browsing through it again. I may try deleting the cPanel account and recreating it to see what effect that has, but I'd like that to be a last resort.

 

[CanadaGuy]

Okay, well that's f'd up, but may relate to another thread I saw. I changed the password for the account, and the login was successful now. I'll dig into this a little more and see what I can find.

 

[CanadaGuy]

Okay, well that's f'd up, but may relate to another thread I saw. I changed the password for the account, and the login was successful now. I'll dig into this a little more and see what I can find.

Okay, I found the issue and it was a hasty PHP mistake on my part dealing with how PHP double quoted strings are parsed when they have a $ in it.

This explains everything, but thank you for taking the time to help...I learned a few things along the way.

 

[rpvw]

Happy to have tried to help, and delighted you found the solution

 

[cPanelLauren]

Hi @CanadaGuy

I'm really glad you found the solution to the issue you were experiencing and @rpvw thanks for helping out!!