cphulk keeps preventing me from accessing the server

[hanoii]

I can't get this right. I am on an ADSL line with an IP that changes frequently and everytime it does I keep getting banned from cpanel, however, it's not because of any missuse or bruteforce, my ip is not blacklisted anywhere and it's not reported on the cphulk interface. This is not only happening to me but to other admins.

The only way I have to log in to the server is access through ssh (pubkey) and run

/scripts/cphulkdwhitelist IP

And then I am OK, however, this is very annoying, how can I prevent this and why is this happening?

 

[cPanelMichael]

Hello

Are you sure your IP address is not getting blocked by cPhulk brute force detection? If whitelisting the IP address with cPHulk resolves the issue, then it would make sense that it locked you out. Review /usr/local/cpanel/logs/login_log the next time this happens to see if you can get a better idea of why you were locked out.

Thank you.

 

[hanoii]

This is what I have in the log from yesterday:

w.x.y.z - root [08/05/2014:20:46:56 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP w.x.y.z
w.x.y.z - root [08/05/2014:20:57:24 -0000] "GET / HTTP/1.1" DEFERRED LOGIN whostmgrd: security token missing

Which says that I was actually locked out (although there's no report of this whatsoever in cphulkd on WHM, why is that?

Anyway, that's not the most important question, but why exactly I was locked out after one single login attempt, and with the right password? That's the only entry in the log at all, and it dates back to Jan 27 so pretty far off in time.

I am using LastPass with its AutoLogin feature, so as soon as the form loads it fills the form and submit it, can that be it? Is there a time detection that triggers the bruteforce detection? Anyway, it shouldn't lock an IP after one single attempt, evenmore if the pw is fine, which it is, even if the form is sent immediately.

 

[cPanelMichael]

It's possible the entire "root" user was locked out, and thus authenticated failed because of that. Are you sure there were no other entries for "root" in the cPHulk brute history from other IP addresses?

Thank you.

 

[hanoii]

I have quite a few numbers of root access to different services in cphulk "Login/Brute Force history report" but still, that shouldn't be an issue, we have that a lot and the whole purpose of cphulk is to filter out IPs, not users, as far as I can tell. Even more, I never whitelisted an user, but rather an IP, so blocking "entire root user" is not something that seems possible, is it?

 

[cPanelMichael]

we have that a lot and the whole purpose of cphulk is to filter out IPs, not users, as far as I can tell.

Accounts can be locked out by cPhulk, not just the individual IP addresses. You may want to consider using a third-party tool such as LFD/CSF if you prefer to block IP addresses completely if attacks are locking you out of your system when cPHulk is enabled.

Thank you.

 

[hanoii]

How can I know if cpHulk blocked an account and how can I unblock it then?

 

[cPanelMichael]

You will see the account listed under "Brutes" in the "Login/Brute History Report" tab in "WHM Home » Security Center » cPHulk Brute Force Protection". You can click on the "Flush DB" option to clear the entries.

Thank you.

 

[hanoii]

I just saw "Maximum Failures By Account:" on the cphulk configuration, is there a value I can put there to prevent locking accounts, only IP? like 0 or -1, or only a very big number might do it?

 

[cPanelMichael]

You could use a really high value for that option, but note that if it's an actual brute force attempt it may reach that number rather quickly.

Thank you.

 

[Dave717]

This is a maddening problem. Since cphulk can lock out an account, attackers love it because it's a built-in way to DOS the server. They just keep hammering away at the root account, which constantly re-locks it. As stated by the cPanel staff above, you can set that value to some arbitrarily high number, but odds are it will be reached quickly anyway.

Since this also prevents wheel accounts from su'ing into root and prevents root logins from the console, it's an extremely effective way to kill a server. The only way back in is to reboot into single user mode, rip cphulk out by its roots (a VERY satisfying experience). Unfortunately that's not always possible (Xen VPS, for example). The end result is that with a handful of IPs, a bored script kiddy can turn cPanel's built-in security against it and lock out the root account indefinitely.

Insane.

 

[EdwardMillen]

ARGH! This is getting absolutely ridiculous now! I haven't been able to get any work done all day because I can't get into my own server!

How hard can it be to add an option to just disable blocking by username?! I actually tried setting that value to 0 when I finally got back in after having this issue a couple of weeks ago (I couldn't find it documented anywhere what this would do, so all I could do was try it)... but instead of disabling it as I'd hoped, it instantly locked me out completely! I only managed to get back in and change the setting back by remotely accessing a computer somewhere else which did have a static IP which I had previously whitelisted, but unfortunately this is no longer available.

Or allow attempts from certain countries to be blocked immediately without counting against limits... it already shows the country on all the emails I'm getting every couple of minutes (and none of the attempts are ever from here), so surely that can't be difficult to implement when it already fetches that information each time?

Or allow the root username to be changed so that they can't just go straight for it.

Or... and I know this might seem like a crazy idea if you can't even do any of the above, but how about allowing a dynamic DNS hostname to be entered in the whitelist, which is resolved to its actual IP address every so often? Even if it's a separate field with only a single entry rather than being able to enter these directly into the whitelist, it would still be a huge help.

But no... none of these things are actually possible in this control panel which I'm paying £19 every month for, even though people have been having this issue for years! Not everyone has a static IP, it's really about time you guys realised that and implemented SOME sort of solution for this!

 

[dalem]

we just disable cphulk and use LFD/CSF it basically does the same thing without locking accounts
cphulk is annoying

 

[cPanelMichael]

Some changes to cPHulk are scheduled for cPanel version 11.48 as referenced here:

cPHulkd to better mitigate Brute Force Attacks | cPanel Feature Requests

However, it's important to submit a feature request for any additional features you would like to see implemented.

Thank you.

 

[quizknows]

It's nice to see IP blocking in the changes.

Is there an option to never block on username alone, or to never lock out root? The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.

 

[cPanelMichael]

Is there an option to never block on username alone, or to never lock out root? The number one problem for years with cPhulk is locking out legitimate administrators. I see numerous tickets for this on a daily basis, many times people assume they've been hacked and their root PW changed.

That's not possible at this time and it's not planned for cPanel version 11.48. However, we do have a feature request open for this at:

Ability to exempt certain user accounts, like root, from cphulkd's account based lockouts | cPanel Feature Requests

cPanelBrianO has made some points regarding the security of such a feature and has asked for feedback.

Thank you.

 

[quizknows]

we just disable cphulk and use LFD/CSF it basically does the same thing without locking accounts
cphulk is annoying

We do the same every chance we get. Sometimes however customers enable it, and within a day their server is "hacked" because root can't login.

Thanks for the link to the feature request.