The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulk errors - 26,000+ bruteforce attacks but IP not blocked

Discussion in 'E-mail Discussions' started by phez, May 26, 2012.

  1. phez

    phez Member

    Joined:
    May 16, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Folks,

    I seem to have an problem with cpHulk not blocking bruteforce attempts. Yesterday it was 4,500+ and today its 26,000+ which have originated from 2 IPs. I have cpHulk enabled with the following settings:

    IP Based Brute Force Protection Period in minutes: 30
    Brute Force Protection Period in minutes: 30
    Maximum Failures By Account: 10
    Maximum Failures Per IP: 5
    Maximum Failures Per IP before IP is blocked for two week period: 30
    Send a notification upon successful root login when the IP is not whitelisted: Yes
    Extend account lockout time upon additional authentication failures: Yes
    Send notification when brute force user is detected: Yes


    Below is the log extract of cphulkd_errors.log:

    Code:
    -bash-3.2# tail -50 /usr/local/cpanel/logs/cphulkd_errors.log
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
    
    From the todays daily logwatch email I see:
    
    --------------------- Dovecot Begin ------------------------
    
     Dovecot disconnects:
       Inactivity: 21 Time(s)
       Logged out bytes=11/313: 64 Time(s)
       Logged out bytes=11/318: 1 Time(s)
       Logged out bytes=11/338: 1 Time(s)
       Logged out bytes=11/340: 221 Time(s)
       Logged out bytes=110/592: 1 Time(s)
    
     **Unmatched Entries**
       dovecot: auth(default): : 26189 Time(s)
       dovecot: auth(default): Failed to getpwnam for user 00089: 1 Time(s)
       dovecot: auth(default): Failed to getpwnam for user 1: 1 Time(s)
       dovecot: auth(default): Failed to getpwnam for user 123: 2 Time(s)
       dovecot: auth(default): Failed to getpwnam for user 12345678: 2 Time(s)
       dovecot: auth(default): Failed to getpwnam for user 3comcso: 1 Time(s)
       dovecot: auth(default): Failed to getpwnam for user a: 7 Time(s)
       dovecot: auth(default): Failed to getpwnam for user aa: 2 Time(s)
    
    --- cut ---
    
      dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zuzu>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
       dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zwo>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
       dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zxvf>, method=PLAIN, rip=124.160.32.172, lip=<mycpanelip>: 1 Time(s)
       dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zxvf>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 6 Time(s)
       dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zyaire>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
       dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zygmund>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
    
     ---------------------- Dovecot End -------------------------
    I have read another thread which said to force an update of scripts and ensure that cpHulk is running. I have done the following:

    /scripts/upcp --force

    I can confirm that cpHulk is running with:

    -bash-3.2# /scripts/restartsrv_cphulkd --status
    cphulkd (cPhulkd - processor) running as root with PID 22946 (pidfile check method)

    What else do i need to do to make sure that I block these IPs from a bruceforce attack?
    Thanks
    phez
     
    #1 phez, May 26, 2012
    Last edited: May 26, 2012
  2. texo

    texo Well-Known Member

    Joined:
    Mar 28, 2007
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    16
  3. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    We would be happy to take a look at this, please issue a ticket.

    Thanks!
     
  4. mun

    mun Registered

    Joined:
    Jun 14, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I can confirm - I have the very same problem - WHM 11.32.3 (build 19) on CENTOS 5.8 x86_64 standard, default CPHulk settings (enabled), cphulkd.log empty, cphulkd_errors.log full of these lines:

    Code:
    Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
    
    Eric you said to issue a ticket, however support pages refer me to my datacentre.

    Also to add, my two other CPanel servers are just fine (the same WHM build, CENTOS 5.8 i686 standard - 32bit), cphulkd.log sample line:
     
    #4 mun, Jun 14, 2012
    Last edited: Jun 15, 2012
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    You can always submit a ticket with us directly if you have root access to SSH and WHM on the machine along with a valid cPanel license.

    Simply use the link in my signature and provide the necessary details for issuing a ticket to us. Please post the ticket number here after you've submitted one for tracking purposes.

    Thanks!
     
  6. mun

    mun Registered

    Joined:
    Jun 14, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ok, I've found that I can submit ticket directly from WHM, I was a bit reluctant to give out root access so I've find out what's problem myself: even the hostname was setup during first login WHM setup, it wasn't modified in cphulkd mysql table. The same problem with SSL certificates - had to manually change all hostnames.
     
Loading...

Share This Page