cpHulk errors - 26,000+ bruteforce attacks but IP not blocked

phez

Member
May 16, 2012
8
0
51
cPanel Access Level
Root Administrator
Folks,

I seem to have an problem with cpHulk not blocking bruteforce attempts. Yesterday it was 4,500+ and today its 26,000+ which have originated from 2 IPs. I have cpHulk enabled with the following settings:

IP Based Brute Force Protection Period in minutes: 30
Brute Force Protection Period in minutes: 30
Maximum Failures By Account: 10
Maximum Failures Per IP: 5
Maximum Failures Per IP before IP is blocked for two week period: 30
Send a notification upon successful root login when the IP is not whitelisted: Yes
Extend account lockout time upon additional authentication failures: Yes
Send notification when brute force user is detected: Yes


Below is the log extract of cphulkd_errors.log:

Code:
-bash-3.2# tail -50 /usr/local/cpanel/logs/cphulkd_errors.log
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93.

From the todays daily logwatch email I see:

--------------------- Dovecot Begin ------------------------

 Dovecot disconnects:
   Inactivity: 21 Time(s)
   Logged out bytes=11/313: 64 Time(s)
   Logged out bytes=11/318: 1 Time(s)
   Logged out bytes=11/338: 1 Time(s)
   Logged out bytes=11/340: 221 Time(s)
   Logged out bytes=110/592: 1 Time(s)

 **Unmatched Entries**
   dovecot: auth(default): : 26189 Time(s)
   dovecot: auth(default): Failed to getpwnam for user 00089: 1 Time(s)
   dovecot: auth(default): Failed to getpwnam for user 1: 1 Time(s)
   dovecot: auth(default): Failed to getpwnam for user 123: 2 Time(s)
   dovecot: auth(default): Failed to getpwnam for user 12345678: 2 Time(s)
   dovecot: auth(default): Failed to getpwnam for user 3comcso: 1 Time(s)
   dovecot: auth(default): Failed to getpwnam for user a: 7 Time(s)
   dovecot: auth(default): Failed to getpwnam for user aa: 2 Time(s)

--- cut ---

  dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zuzu>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
   dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zwo>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
   dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zxvf>, method=PLAIN, rip=124.160.32.172, lip=<mycpanelip>: 1 Time(s)
   dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zxvf>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 6 Time(s)
   dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zyaire>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)
   dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<zygmund>, method=PLAIN, rip=186.5.109.66, lip=<mycpanelip>: 1 Time(s)

 ---------------------- Dovecot End -------------------------
I have read another thread which said to force an update of scripts and ensure that cpHulk is running. I have done the following:

/scripts/upcp --force

I can confirm that cpHulk is running with:

-bash-3.2# /scripts/restartsrv_cphulkd --status
cphulkd (cPhulkd - processor) running as root with PID 22946 (pidfile check method)

What else do i need to do to make sure that I block these IPs from a bruceforce attack?
Thanks
phez
 
Last edited:

mun

Registered
Jun 14, 2012
2
0
1
cPanel Access Level
Root Administrator
I can confirm - I have the very same problem - WHM 11.32.3 (build 19) on CENTOS 5.8 x86_64 standard, default CPHulk settings (enabled), cphulkd.log empty, cphulkd_errors.log full of these lines:

Code:
Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: whostmgrd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pure-ftpd at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: dovecot at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Auth failed for service: pam at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 93, <$__ANONIO__> line 1.
Eric you said to issue a ticket, however support pages refer me to my datacentre.

Also to add, my two other CPanel servers are just fine (the same WHM build, CENTOS 5.8 i686 standard - 32bit), cphulkd.log sample line:
Thu Jun 14 18:55:17 2012 [info] Connection service=system ip=61.160.247.182 port=21 user=******** blocked by cphulkd (IP Address listed as brute)
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello,

You can always submit a ticket with us directly if you have root access to SSH and WHM on the machine along with a valid cPanel license.

Simply use the link in my signature and provide the necessary details for issuing a ticket to us. Please post the ticket number here after you've submitted one for tracking purposes.

Thanks!
 

mun

Registered
Jun 14, 2012
2
0
1
cPanel Access Level
Root Administrator
Ok, I've found that I can submit ticket directly from WHM, I was a bit reluctant to give out root access so I've find out what's problem myself: even the hostname was setup during first login WHM setup, it wasn't modified in cphulkd mysql table. The same problem with SSL certificates - had to manually change all hostnames.
 
Thread starter Similar threads Forum Replies Date
H Email 1
sahostking Email 5
J Email 2
L Email 4
P Email 2