cphulk keeps preventing me from accessing the server

hanoii

Member
Oct 15, 2010
10
0
51
I can't get this right. I am on an ADSL line with an IP that changes frequently and everytime it does I keep getting banned from cpanel, however, it's not because of any missuse or bruteforce, my ip is not blacklisted anywhere and it's not reported on the cphulk interface. This is not only happening to me but to other admins.

The only way I have to log in to the server is access through ssh (pubkey) and run

/scripts/cphulkdwhitelist IP

And then I am OK, however, this is very annoying, how can I prevent this and why is this happening?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello :)

Are you sure your IP address is not getting blocked by cPhulk brute force detection? If whitelisting the IP address with cPHulk resolves the issue, then it would make sense that it locked you out. Review /usr/local/cpanel/logs/login_log the next time this happens to see if you can get a better idea of why you were locked out.

Thank you.
 

hanoii

Member
Oct 15, 2010
10
0
51
This is what I have in the log from yesterday:

w.x.y.z - root [08/05/2014:20:46:56 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP w.x.y.z
w.x.y.z - root [08/05/2014:20:57:24 -0000] "GET / HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing

Which says that I was actually locked out (although there's no report of this whatsoever in cphulkd on WHM, why is that?

Anyway, that's not the most important question, but why exactly I was locked out after one single login attempt, and with the right password? That's the only entry in the log at all, and it dates back to Jan 27 so pretty far off in time.

I am using LastPass with its AutoLogin feature, so as soon as the form loads it fills the form and submit it, can that be it? Is there a time detection that triggers the bruteforce detection? Anyway, it shouldn't lock an IP after one single attempt, evenmore if the pw is fine, which it is, even if the form is sent immediately.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
It's possible the entire "root" user was locked out, and thus authenticated failed because of that. Are you sure there were no other entries for "root" in the cPHulk brute history from other IP addresses?

Thank you.
 

hanoii

Member
Oct 15, 2010
10
0
51
I have quite a few numbers of root access to different services in cphulk "Login/Brute Force history report" but still, that shouldn't be an issue, we have that a lot and the whole purpose of cphulk is to filter out IPs, not users, as far as I can tell. Even more, I never whitelisted an user, but rather an IP, so blocking "entire root user" is not something that seems possible, is it?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
we have that a lot and the whole purpose of cphulk is to filter out IPs, not users, as far as I can tell.
Accounts can be locked out by cPhulk, not just the individual IP addresses. You may want to consider using a third-party tool such as LFD/CSF if you prefer to block IP addresses completely if attacks are locking you out of your system when cPHulk is enabled.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
You will see the account listed under "Brutes" in the "Login/Brute History Report" tab in "WHM Home » Security Center » cPHulk Brute Force Protection". You can click on the "Flush DB" option to clear the entries.

Thank you.
 

hanoii

Member
Oct 15, 2010
10
0
51
I just saw "Maximum Failures By Account:" on the cphulk configuration, is there a value I can put there to prevent locking accounts, only IP? like 0 or -1, or only a very big number might do it?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
You could use a really high value for that option, but note that if it's an actual brute force attempt it may reach that number rather quickly.

Thank you.
 

Dave717

Member
PartnerNOC
Mar 29, 2013
5
0
1
cPanel Access Level
Root Administrator
This is a maddening problem. Since cphulk can lock out an account, attackers love it because it's a built-in way to DOS the server. They just keep hammering away at the root account, which constantly re-locks it. As stated by the cPanel staff above, you can set that value to some arbitrarily high number, but odds are it will be reached quickly anyway.

Since this also prevents wheel accounts from su'ing into root and prevents root logins from the console, it's an extremely effective way to kill a server. The only way back in is to reboot into single user mode, rip cphulk out by its roots (a VERY satisfying experience). Unfortunately that's not always possible (Xen VPS, for example). The end result is that with a handful of IPs, a bored script kiddy can turn cPanel's built-in security against it and lock out the root account indefinitely.

Insane.
 

EdwardMillen

Registered
May 25, 2006
3
0
151
ARGH! This is getting absolutely ridiculous now! I haven't been able to get any work done all day because I can't get into my own server!

How hard can it be to add an option to just disable blocking by username?! I actually tried setting that value to 0 when I finally got back in after having this issue a couple of weeks ago (I couldn't find it documented anywhere what this would do, so all I could do was try it)... but instead of disabling it as I'd hoped, it instantly locked me out completely! I only managed to get back in and change the setting back by remotely accessing a computer somewhere else which did have a static IP which I had previously whitelisted, but unfortunately this is no longer available.

Or allow attempts from certain countries to be blocked immediately without counting against limits... it already shows the country on all the emails I'm getting every couple of minutes (and none of the attempts are ever from here), so surely that can't be difficult to implement when it already fetches that information each time?

Or allow the root username to be changed so that they can't just go straight for it.

Or... and I know this might seem like a crazy idea if you can't even do any of the above, but how about allowing a dynamic DNS hostname to be entered in the whitelist, which is resolved to its actual IP address every so often? Even if it's a separate field with only a single entry rather than being able to enter these directly into the whitelist, it would still be a huge help.

But no... none of these things are actually possible in this control panel which I'm paying £19 every month for, even though people have been having this issue for years! Not everyone has a static IP, it's really about time you guys realised that and implemented SOME sort of solution for this!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
It's nice to see IP blocking in the changes.

Is there an option to never block on username alone, or to never lock out root? The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Is there an option to never block on username alone, or to never lock out root? The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.
That's not possible at this time and it's not planned for cPanel version 11.48. However, we do have a feature request open for this at:

Ability to exempt certain user accounts, like root, from cphulkd's account based lockouts | cPanel Feature Requests

cPanelBrianO has made some points regarding the security of such a feature and has asked for feedback.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
we just disable cphulk and use LFD/CSF it basically does the same thing without locking accounts
cphulk is annoying
We do the same every chance we get. Sometimes however customers enable it, and within a day their server is "hacked" because root can't login.

Thanks for the link to the feature request.