The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPHulk Freezing up server

Discussion in 'Security' started by Shane3673, Apr 3, 2014.

  1. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I have CPHulk enabled and sending me emails after 5 failed login attempts. I have whitelisted the main IPs associated with the businesses I host mail for to prevent them from being locked out. I use firewall rules on my Mikrotik router for all my blacklisting and firewall rules. I currently do not allow SSH for the outside network. I usually get about 50 brute force attempts daily and add those to my firewall as I get them. Once in a while, I will get hit with a brute force attempt and it will cause everyone trying to connect to get a password box for about 1 minute. It seems that my server cannot handle the amount of attempts for some brute force attacks. I only allow ports needed to the outside networks, no SSH or WHM. Almost all of the brute force attempts are from out of the country. I know this is normal and do not have a problem with them trying as it gives me notifications of IP addresses to block indefinitely before the traffic even reaches the server. My question is, Is there anything I can do to prevent the server from locking up when I get really bad brute force attempts?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is this happening on all services, or is it isolated to a service such as POP3?

    Thank you.
     
  3. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Just POP3 will lock up as far as I know. I can always log into WHM and CPanel when it happens. Once in a great while IMAP or Clamav will fail and I have to reboot, but that is very rare. I actually just made the CPHulk lock a IP after 4 attempts for a 20 minute and 5 attempts for the 2 week lockout yesterday and the server hasn't locked up yet, but I haven't been getting as many fail login attempts either. This does not happen all the time. It seems that every once in a while for a couple days I will get massive brute force attempts and then I will get the normal amount that doesn't effect anything for a while. I think the last time this happened before the past week was Super Bowl weekend.

    I take that back. It just happened again. Sever locked up mail for about 1 minute. After I could send and receive again, I got 8 new IPs to block all brute forcing at the same time.
     
    #3 Shane3673, Apr 4, 2014
    Last edited: Apr 4, 2014
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It seems like it's not cPhulk, but rather a mail server limit that's being reached. Check /var/log/maillog for the times when this happens to see if you notice in particular entries. Are you using Courier or Dovecot?

    Thank you.
     
  5. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Okay, and honestly, I knew you were going to ask that, but I do not remember what I set it as when I was installing it. I set it for the one that said extremely reliable, but more of a performance hit.
     
  6. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You can go to WHM => Service Configuration => Mailserver Selection and it will tell you which version you are currently running.
     
  7. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I am using Courier.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Try using "grep" to see if there are any Input/Output error messages in /var/log/maillog. It's possible there is a lack of available authentication daemons available to accept a username/password. You can try increasing the "Number of Authentication Daemons" in "WHM Home » Service Configuration » Mailserver Configuration".

    Thank you.
     
  9. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    When it happens it looks like the log has tons of input/output errors and also has errors saying resource temporarily unavailable. I try ur suggestion. Thanks.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  11. Shane3673

    Shane3673 Well-Known Member

    Joined:
    Dec 20, 2013
    Messages:
    96
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    It seems to have helped so far. Thanks.
     
Loading...

Share This Page