cPanel User Blocked From API Calls

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
I've been implementing a small application that uses cPanel API 2. Apparently, in my learning to authenticate and make API calls, I triggered some kind of login ban. The following is an excerpt from /usr/local/cpanel/logs/login_log:

info [cpaneld] 1.2.3.4 - cpaneluser "GET *long URL* HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password

Can anyone tell me how to unblock "cpaneluser" so that they can authenticate for API calls? I've looked all around the WHM interface and can't find any way to unblock.
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator
I suspect that the IP was blocked by the cPHulk service.

The block will very likely only be for a few minutes if you are using the default configuration.

You can unblock it in WHM by going to Security Center > cPHulk Brute Force Protection > History Reports and checking the Reports (select a report) to find which block your user/IP is in, and clicking on the corresponding Remove Block link

You may also want to add YOUR IP to the whitelist management tab to prevent you getting blocked yourself, especially whilst testing :)

See cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation for full details.
 
  • Like
Reactions: cPanelLauren

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
I suspect that the IP was blocked by the cPHulk service.

The block will very likely only be for a few minutes if you are using the default configuration.

You can unblock it in WHM by going to Security Center > cPHulk Brute Force Protection > History Reports and checking the Reports (select a report) to find which block your user/IP is in, and clicking on the corresponding Remove Block link

You may also want to add YOUR IP to the whitelist management tab to prevent you getting blocked yourself, especially whilst testing :)

See cPHulk Brute Force Protection - Version 74 Documentation - cPanel Documentation for full details.
Hmm, I'll try that documentation. I tried clearing blocks last night and this morning to no effect. Under the same IP and host configruatcon it works under a different cPanel user, so I don't think it is IP based.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator
cPHulk also blocks by user (or IP, and can also set a one-day block on IPs if they repeat offend) - so make sure you check all the blocked lists when you are trying to unblock.
 

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
cPHulk also blocks by user (or IP, and can also set a one-day block on IPs if they repeat offend) - so make sure you check all the blocked lists when you are trying to unblock.
The user account does show up in the block history, and can see it when I try an API request with that user account. Clear the history, and try again and it shows up immediately. Disabling cPHulk doesn't seem to have an effect, it stays blocked. I can't see the account listed anywhere.

I'll try digging through the cPHulk documentation to see what else I can find...

Any other ideas?
 

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
Disabling cPHulk does not allow the user in either, so wouldn't that indicate that cPHulk is not doing the blocking?

After some more poking, I finally understood the "reports" to view. All lists are empty: Blocked Users, Blocked IP Addresses, and One Day Blocks except for Failed Logins...I can clear that, but the username is still blocked it appears.
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator
If you had clicked the blue "Remove Blocks and Clear Reports" button, and then disabled cPHulk, I would have expected the user to be able to log in again.

I don't know of any other native systems in cPanel that would block a user. I can only assume there is something about the API login you are using for that user, that has an issue.

Can the user log in normally ?
Have you installed any other security software like CSF/LFD ?
 

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
Can the user log in normally ?
Have you installed any other security software like CSF/LFD ?
Yes, the user can login to the regular cPanel interface no problem. And yes, my bad, I should have mentioned I have CSF/LFD installed and working. I see the request show up in CSF - Watch System Logs - /var/log/lfd.log:

Sep 30 13:54:18 servername lfd[1403]: Failed cPanel login from server.ip.was.here - ignored

The reason the server IP is there, is because the script is being called from the server itself. But again as I said, another user in the same configuration can login fine so it doesn't seem like an IP block...I'll keep digging.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
Okay, well that's f'd up, but may relate to another thread I saw. I changed the password for the account, and the login was successful now. I'll dig into this a little more and see what I can find.
 

CanadaGuy

Active Member
Sep 24, 2018
39
8
8
Ottawa
cPanel Access Level
Root Administrator
Okay, well that's f'd up, but may relate to another thread I saw. I changed the password for the account, and the login was successful now. I'll dig into this a little more and see what I can find.
Okay, I found the issue and it was a hasty PHP mistake on my part dealing with how PHP double quoted strings are parsed when they have a $ in it.

This explains everything, but thank you for taking the time to help...I learned a few things along the way.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator
Happy to have tried to help, and delighted you found the solution :-D