The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cphulk keeps preventing me from accessing the server

Discussion in 'Security' started by hanoii, Aug 5, 2014.

  1. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I can't get this right. I am on an ADSL line with an IP that changes frequently and everytime it does I keep getting banned from cpanel, however, it's not because of any missuse or bruteforce, my ip is not blacklisted anywhere and it's not reported on the cphulk interface. This is not only happening to me but to other admins.

    The only way I have to log in to the server is access through ssh (pubkey) and run

    /scripts/cphulkdwhitelist IP

    And then I am OK, however, this is very annoying, how can I prevent this and why is this happening?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Are you sure your IP address is not getting blocked by cPhulk brute force detection? If whitelisting the IP address with cPHulk resolves the issue, then it would make sense that it locked you out. Review /usr/local/cpanel/logs/login_log the next time this happens to see if you can get a better idea of why you were locked out.

    Thank you.
     
  3. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    This is what I have in the log from yesterday:

    w.x.y.z - root [08/05/2014:20:46:56 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP w.x.y.z
    w.x.y.z - root [08/05/2014:20:57:24 -0000] "GET / HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing

    Which says that I was actually locked out (although there's no report of this whatsoever in cphulkd on WHM, why is that?

    Anyway, that's not the most important question, but why exactly I was locked out after one single login attempt, and with the right password? That's the only entry in the log at all, and it dates back to Jan 27 so pretty far off in time.

    I am using LastPass with its AutoLogin feature, so as soon as the form loads it fills the form and submit it, can that be it? Is there a time detection that triggers the bruteforce detection? Anyway, it shouldn't lock an IP after one single attempt, evenmore if the pw is fine, which it is, even if the form is sent immediately.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    It's possible the entire "root" user was locked out, and thus authenticated failed because of that. Are you sure there were no other entries for "root" in the cPHulk brute history from other IP addresses?

    Thank you.
     
  5. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I have quite a few numbers of root access to different services in cphulk "Login/Brute Force history report" but still, that shouldn't be an issue, we have that a lot and the whole purpose of cphulk is to filter out IPs, not users, as far as I can tell. Even more, I never whitelisted an user, but rather an IP, so blocking "entire root user" is not something that seems possible, is it?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Accounts can be locked out by cPhulk, not just the individual IP addresses. You may want to consider using a third-party tool such as LFD/CSF if you prefer to block IP addresses completely if attacks are locking you out of your system when cPHulk is enabled.

    Thank you.
     
  7. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    How can I know if cpHulk blocked an account and how can I unblock it then?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You will see the account listed under "Brutes" in the "Login/Brute History Report" tab in "WHM Home » Security Center » cPHulk Brute Force Protection". You can click on the "Flush DB" option to clear the entries.

    Thank you.
     
  9. hanoii

    hanoii Member

    Joined:
    Oct 15, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I just saw "Maximum Failures By Account:" on the cphulk configuration, is there a value I can put there to prevent locking accounts, only IP? like 0 or -1, or only a very big number might do it?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could use a really high value for that option, but note that if it's an actual brute force attempt it may reach that number rather quickly.

    Thank you.
     
  11. Dave717

    Dave717 Member
    PartnerNOC

    Joined:
    Mar 29, 2013
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is a maddening problem. Since cphulk can lock out an account, attackers love it because it's a built-in way to DOS the server. They just keep hammering away at the root account, which constantly re-locks it. As stated by the cPanel staff above, you can set that value to some arbitrarily high number, but odds are it will be reached quickly anyway.

    Since this also prevents wheel accounts from su'ing into root and prevents root logins from the console, it's an extremely effective way to kill a server. The only way back in is to reboot into single user mode, rip cphulk out by its roots (a VERY satisfying experience). Unfortunately that's not always possible (Xen VPS, for example). The end result is that with a handful of IPs, a bored script kiddy can turn cPanel's built-in security against it and lock out the root account indefinitely.

    Insane.
     
  12. EdwardMillen

    EdwardMillen Registered

    Joined:
    May 25, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    ARGH! This is getting absolutely ridiculous now! I haven't been able to get any work done all day because I can't get into my own server!

    How hard can it be to add an option to just disable blocking by username?! I actually tried setting that value to 0 when I finally got back in after having this issue a couple of weeks ago (I couldn't find it documented anywhere what this would do, so all I could do was try it)... but instead of disabling it as I'd hoped, it instantly locked me out completely! I only managed to get back in and change the setting back by remotely accessing a computer somewhere else which did have a static IP which I had previously whitelisted, but unfortunately this is no longer available.

    Or allow attempts from certain countries to be blocked immediately without counting against limits... it already shows the country on all the emails I'm getting every couple of minutes (and none of the attempts are ever from here), so surely that can't be difficult to implement when it already fetches that information each time?

    Or allow the root username to be changed so that they can't just go straight for it.

    Or... and I know this might seem like a crazy idea if you can't even do any of the above, but how about allowing a dynamic DNS hostname to be entered in the whitelist, which is resolved to its actual IP address every so often? Even if it's a separate field with only a single entry rather than being able to enter these directly into the whitelist, it would still be a huge help.

    But no... none of these things are actually possible in this control panel which I'm paying £19 every month for, even though people have been having this issue for years! Not everyone has a static IP, it's really about time you guys realised that and implemented SOME sort of solution for this!
     
  13. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    we just disable cphulk and use LFD/CSF it basically does the same thing without locking accounts
    cphulk is annoying
     
    Victor T. likes this.
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  15. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It's nice to see IP blocking in the changes.

    Is there an option to never block on username alone, or to never lock out root? The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    That's not possible at this time and it's not planned for cPanel version 11.48. However, we do have a feature request open for this at:

    Ability to exempt certain user accounts, like root, from cphulkd's account based lockouts | cPanel Feature Requests

    cPanelBrianO has made some points regarding the security of such a feature and has asked for feedback.

    Thank you.
     
  17. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    We do the same every chance we get. Sometimes however customers enable it, and within a day their server is "hacked" because root can't login.

    Thanks for the link to the feature request.
     
Loading...

Share This Page