cpHulk Not Blocking Authentication Attempts

Operating System & Version
CentOS release 6.10
cPanel & WHM Version
WHM: v84.0.21 cPanel: 84.0 (build 21)

SysProgrammer

Member
Feb 13, 2020
6
0
1
USA
cPanel Access Level
Root Administrator
I have extremely strict security settings in cpHulk--as strict as it will let me make them. Recently, I've noticed that it has stopped emailing me about blocks and it has appeared to stop blocking altogether. I was looking around on my server and I noticed that there have been very recent (last 24 hours) attempts to login to services, based on
/var/log/exim_rejectlog

I validated that cphulk is the first rule in the input chain in iptables. What could be causing this issue?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
What, if anything is logged in the cPhulk logs? You can find them here:

/usr/local/cpanel/logs/cphulkd_errors.log
/usr/local/cpanel/logs/cphulkd.log

You might also ensure the process is actually running as well

Bash:
[[email protected] ~]# ps faux |grep cPhul[k]
root      1862  0.0  0.1 152104  6952 ?        S    Feb13   0:05 cPhulkd - processor
root      3912  0.0  0.1 151188  5968 ?        S    Feb13   0:06  \_ cPhulkd - dbprocessor
 

SysProgrammer

Member
Feb 13, 2020
6
0
1
USA
cPanel Access Level
Root Administrator
The cphulkd_errors.log shows this repeating (log file has mtime of 2 days ago):

socket: Protocol not supported at /usr/local/cpanel/Cpanel/Linux/Netlink.pm line 302, <GEN3> line 4.
...caught at /usr/local/cpanel/Cpanel/Ident.pm line 49, <GEN3> line 4.
socket: Protocol not supported at /usr/local/cpanel/Cpanel/Linux/Netlink.pm line 302, <GEN3> line 6.
...caught at /usr/local/cpanel/Cpanel/Ident.pm line 49, <GEN3> line 6.

Here are the last 50 lines of cphulkd.log:

[2020-02-14 05:37:09 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 05:50:10 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 11589
[2020-02-14 07:43:41 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 07:43:41 +0000] info [cPhulkd] DB processor startup with pid 24113
[2020-02-14 07:53:47 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 24113
[2020-02-14 10:23:32 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 10:23:32 +0000] info [cPhulkd] DB processor startup with pid 7677
[2020-02-14 10:33:32 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 7677
[2020-02-14 13:28:35 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 13:28:35 +0000] info [cPhulkd] DB processor startup with pid 26553
[2020-02-14 13:39:35 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 26553
[2020-02-14 13:44:11 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 13:44:11 +0000] info [cPhulkd] DB processor startup with pid 27993
[2020-02-14 14:59:11 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 27993
[2020-02-14 15:56:17 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 15:56:17 +0000] info [cPhulkd] DB processor startup with pid 9253
[2020-02-14 16:15:27 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 9253
[2020-02-14 16:23:56 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 16:23:56 +0000] info [cPhulkd] DB processor startup with pid 12163
[2020-02-14 16:40:50 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 12163
[2020-02-14 17:27:04 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 17:27:04 +0000] info [cPhulkd] DB processor startup with pid 18463
[2020-02-14 17:27:04 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[51.38.245.44] [Remote Port]=[43641] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sat Feb 15 17:27:04 2020 UTC/Sat Feb 15 17:27:04 2020 LOCAL])
[2020-02-14 17:27:04 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[51.38.245.44] [Remote Port]=[43641] [Authentication Database]=[system] [Username]=[****]
[2020-02-14 17:37:04 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 18463
[2020-02-14 18:19:44 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 18:19:44 +0000] info [cPhulkd] DB processor startup with pid 23558
[2020-02-14 18:43:21 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 23558
[2020-02-14 19:07:34 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-14 19:07:34 +0000] info [cPhulkd] DB processor startup with pid 29003
[2020-02-14 19:54:36 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 29003
Clearing errlog /usr/local/cpanel/logs/cphulkd_errors.log
[2020-02-15 01:03:50 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-15 01:03:50 +0000] info [cPhulkd] DB processor startup with pid 32495
[2020-02-15 01:03:51 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[163.44.197.47] [Remote Port]=[59564] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sun Feb 16 01:03:51 2020 UTC/Sun Feb 16 01:03:51 2020 LOCAL])
[2020-02-15 01:03:51 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[163.44.197.47] [Remote Port]=[59564] [Authentication Database]=[system] [Username]=[****]
[2020-02-15 01:13:51 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 32495
[2020-02-15 02:41:35 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-15 02:41:35 +0000] info [cPhulkd] DB processor startup with pid 10266
[2020-02-15 02:41:35 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[91.221.70.80] [Remote Port]=[50844] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sun Feb 16 02:41:35 2020 UTC/Sun Feb 16 02:41:35 2020 LOCAL])
[2020-02-15 02:41:35 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[91.221.70.80] [Remote Port]=[50844] [Authentication Database]=[system] [Username]=[****]
[2020-02-15 02:51:35 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 10266
[2020-02-15 05:36:57 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-15 05:36:57 +0000] info [cPhulkd] DB processor startup with pid 30005
[2020-02-15 05:46:57 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 30005
[2020-02-15 11:04:23 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-15 11:04:23 +0000] info [cPhulkd] DB processor startup with pid 31012
[2020-02-15 11:15:07 +0000] info [cPhulkd] DB processor shutdown via SIGTERM with pid 31012
[2020-02-15 13:35:29 +0000] info [cPhulkd] processor startup with pid 1997
[2020-02-15 13:35:29 +0000] info [cPhulkd] DB processor startup with pid 14774



Looks like the process is running.

root 1997 0.0 0.4 42896 9420 ? S Feb13 0:57 cPhulkd - processor
root 14774 0.0 0.6 50628 14384 ? S 07:35 0:00 \_ cPhulkd - dbprocessor
root 16300 0.2 0.4 46024 10384 ? S 07:51 0:00 \_ cPhulkd - processor - http socket
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
I do see blocks in this output:

Code:
[2020-02-15 02:41:35 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[91.221.70.80] [Remote Port]=[50844] [Authentication Database]=[system] [Username]=[****]
[2020-02-15 02:41:35 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[91.221.70.80] [Remote Port]=[50844] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sun Feb 16 02:41:35 2020 UTC/Sun Feb 16 02:41:35 2020 LOCAL])
[2020-02-15 01:03:51 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[163.44.197.47] [Remote Port]=[59564] [Authentication Database]=[system] [Username]=[****]
[2020-02-15 01:03:51 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[163.44.197.47] [Remote Port]=[59564] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sun Feb 16 01:03:51 2020 UTC/Sun Feb 16 01:03:51 2020 LOCAL])
[2020-02-14 17:27:04 +0000] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[51.38.245.44] [Remote Port]=[43641] [Authentication Database]=[system] [Username]=[****] (1/2 failures) (blocked until [Sat Feb 15 17:27:04 2020 UTC/Sat Feb 15 17:27:04 2020 LOCAL])
[2020-02-14 17:27:04 +0000] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[cpaneld] [Local IP Address]=[****] [Local Port]=[2083] [Remote IP Address]=[51.38.245.44] [Remote Port]=[43641] [Authentication Database]=[system] [Username]=[****]
Are you aware if you received notifications for all of these blocks? Everytime the system sends an email it should not only be logged in exim but the cPanel error logs should hold a record of it as well. We did make some changes recently to the CC Code blocking which is what I see being hit and I wonder if that's what you're encountering.
 

SysProgrammer

Member
Feb 13, 2020
6
0
1
USA
cPanel Access Level
Root Administrator
I'm not receiving emails. That's why I thought cphulk wasn't blocking any traffic. I have validated that all 3 checkboxes are checked under "Security Center-->cPHulk Brute Force Protection-->Configuration Settings Tab-->Notifications".
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
I'm not receiving emails. That's why I thought cphulk wasn't blocking any traffic.
Right, which is why I'm asking the following questions:

Are you aware if you received notifications for all of these blocks? Everytime the system sends an email it should not only be logged in exim but the cPanel error logs should hold a record of it as well.
In an attempt to determine whether or not the email is being sent and not received or not being sent at all. The answer to these would be pretty important.

Then after that I noted the following:
We did make some changes recently to the CC Code blocking which is what I see being hit and I wonder if that's what you're encountering.
Because all of the blocks I see are CC code related and I do know there was at least one case on email notifications with CC blocks which is also why I asked for you to check if there were actually email notifications sent that corresponded to these blocks.

Thanks!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,297
1,251
313
Houston
Every time the system sends an email it should not only be logged in exim but the cPanel error logs should hold a record of it as well.

Can you check the following locations for a record of these email notifications

/var/log/exim_mainlog

/usr/local/cpanel/logs/error_log

Furthermore, if every block is a CC (COUNTRY CODE) related block you will not receive emails for these.
 

SysProgrammer

Member
Feb 13, 2020
6
0
1
USA
cPanel Access Level
Root Administrator
I observed that my site's contact form submissions are being logged in the exim_mainlog, and I am receiving those. Hopefully something in this output will be helpful.


From /var/log/exim_mainlog:
2020-02-17 08:48:13.474 [18515] H=ip60.ip-144-217-233.net (smtp-relay.gmail.com) [144.217.233.60]:46763 I=[****]:25 Warning: "Detected session with all messages failed"
2020-02-17 08:48:13.475 [18515] H=ip60.ip-144-217-233.net (smtp-relay.gmail.com) [144.217.233.60]:46763 I=[****]:25 Warning: "Increment slow_fail_block Ratelimit - ip60.ip-144-217-233.net (smtp-relay.gmail.com) [144.217.233.60]:46763 because of all messages failed"
2020-02-17 08:48:13.476 [18515] SMTP connection from ip60.ip-144-217-233.net (smtp-relay.gmail.com) [144.217.233.60]:46763 I=[****]:25 closed by QUIT
2020-02-17 08:50:03.859 [18604] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 08:52:29.136 [18778] SMTP connection from [127.0.0.1]:35892 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 08:52:29.150 [19002] SMTP connection from (localhost) [127.0.0.1]:35892 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 08:52:29.150 [19002] no MAIL in SMTP connection from (localhost) [127.0.0.1]:35892 I=[127.0.0.1]:25 D=0.012s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 08:55:03.363 [19099] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 08:57:31.184 [18778] SMTP connection from [127.0.0.1]:48090 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 08:57:31.199 [19472] SMTP connection from (localhost) [127.0.0.1]:48090 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 08:57:31.199 [19472] no MAIL in SMTP connection from (localhost) [127.0.0.1]:48090 I=[127.0.0.1]:25 D=0.013s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 09:00:04.678 [19577] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 09:02:13.652 [18778] SMTP connection from [51.89.173.198]:52152 I=[****]:465 (TCP/IP connection count = 1)
2020-02-17 09:02:13.882 [19915] SMTP connection from ns3154890.ip-51-89-173.eu [51.89.173.198]:52152 I=[****]:465 lost D=0.228s
2020-02-17 09:02:13.882 [19915] no MAIL in SMTP connection from ns3154890.ip-51-89-173.eu [51.89.173.198]:52152 I=[****]:465 D=0.228s
2020-02-17 09:04:59.824 [18778] SMTP connection from [127.0.0.1]:39508 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 09:04:59.838 [19972] SMTP connection from (localhost) [127.0.0.1]:39508 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 09:04:59.840 [19972] no MAIL in SMTP connection from (localhost) [127.0.0.1]:39508 I=[127.0.0.1]:25 D=0.013s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 09:05:04.174 [20054] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 09:10:02.973 [18778] SMTP connection from [127.0.0.1]:51266 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 09:10:03.031 [20495] SMTP connection from (localhost) [127.0.0.1]:51266 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 09:10:03.031 [20495] no MAIL in SMTP connection from (localhost) [127.0.0.1]:51266 I=[127.0.0.1]:25 D=0.037s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 09:10:04.462 [20531] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 09:15:03.709 [20960] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 09:15:05.624 [18778] SMTP connection from [127.0.0.1]:34266 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 09:15:05.642 [21071] SMTP connection from (localhost) [127.0.0.1]:34266 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 09:15:05.642 [21071] no MAIL in SMTP connection from (localhost) [127.0.0.1]:34266 I=[127.0.0.1]:25 D=0.015s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 09:20:04.964 [21441] cwd=/ 2 args: /usr/sbin/exim -bpu
2020-02-17 09:20:08.296 [18778] SMTP connection from [127.0.0.1]:46008 I=[127.0.0.1]:25 (TCP/IP connection count = 1)
2020-02-17 09:20:08.326 [21576] SMTP connection from (localhost) [127.0.0.1]:46008 I=[127.0.0.1]:25 closed by QUIT
2020-02-17 09:20:08.328 [21576] no MAIL in SMTP connection from (localhost) [127.0.0.1]:46008 I=[127.0.0.1]:25 D=0.028s A=dovecot_plain:__cpanel__service__auth__exim__baa6n9khf6o5h4vg C=EHLO,AUTH,QUIT
2020-02-17 09:20:15.609 [22127] cwd=/var/spool/exim 2 args: /usr/sbin/exim -qG
2020-02-17 09:20:15.613 [22127] Start queue run: pid=22127
line 2034

From /usr/local/cpanel/logs/error_log:
[2019-12-17 06:17:13 -0600] info [autorepair] Successfully verified signature for cpanel (key types: release).
==> cpsrvd 11.84.0.17 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up SSL support ... Done
==> cpsrvd: transferred port bindings: 10,11,12,3,4,5,6,7,8,9
==> cpsrvd: bound to ports
[2019-12-17 06:20:01 -0600] info [cpsrvd] version 11.84.0.17 online
Timed out (2 seconds) while reading from socket.
[2019-12-17 06:20:05 -0600] info [whostmgrd] Brute force checking was skipped because cphulkd failed to process “root” from “173.174.214.143” for the “system” service.
[2019-12-17 06:20:11 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2019-12-17 06:21:11 -0600] info [cpaneld] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “system” service.
[2019-12-17 06:21:28 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-17 06:21:51 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-17 06:22:17 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-17 06:22:24 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:35:20 -0600] info [cpsrvd] version 11.84.0.17 online
Timed out (2 seconds) while reading from socket.
[2019-12-19 11:38:22 -0600] info [whostmgrd] Brute force checking was skipped because cphulkd failed to process “root” from “173.174.214.143” for the “system” service.
[2019-12-19 11:39:01 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2019-12-19 11:39:24 -0600] info [cpaneld] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “system” service.
[2019-12-19 11:40:52 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:41:18 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:41:45 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:42:01 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:42:21 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
[2019-12-19 11:43:01 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “173.174.214.143” for the “mail” service.
==> cpsrvd 11.84.0.17 started


[2019-12-20 03:01:44 -0600] info [cpsrvd] version 11.84.0.17 online
[2019-12-20 03:02:09 -0600] warn [cpsrvd] User file '/var/cpanel/users/webmaster' is empty or non-existent. at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 305, <GEN5> line 2.
Cpanel::Config::LoadCpUserFile::_load("webmaster", undef) called at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 204
Cpanel::Config::LoadCpUserFile::load("webmaster") called at /usr/local/cpanel/Cpanel/AcctUtils/Lookup/MailUser.pm line 131
Cpanel::AcctUtils::Lookup::MailUser::lookup_mail_user("webmaster", "") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 195
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x310fe18), "shared", "dovecot_userdb", "webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x310fe18), "Lshared/dovecot_userdb/webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x310fe18)) called at /usr/local/cpanel/Cpanel/Server.pm line 2247
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x2eb2f98)) called at cpsrvd.pl line 1771
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1085
cpanel::cpsrvd::script() called at cpsrvd.pl line 425
[2019-12-20 03:02:09 -0600] warn [cpsrvd] Failed to load cPanel user file for 'webmaster' at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 207, <GEN5> line 2.
Cpanel::Config::LoadCpUserFile::load("webmaster") called at /usr/local/cpanel/Cpanel/AcctUtils/Lookup/MailUser.pm line 131
Cpanel::AcctUtils::Lookup::MailUser::lookup_mail_user("webmaster", "") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 195
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x310fe18), "shared", "dovecot_userdb", "webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x310fe18), "Lshared/dovecot_userdb/webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x310fe18)) called at /usr/local/cpanel/Cpanel/Server.pm line 2247
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x2eb2f98)) called at cpsrvd.pl line 1771
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1085
cpanel::cpsrvd::script() called at cpsrvd.pl line 425
[2019-12-20 03:05:12 -0600] warn [cpsrvd] User file '/var/cpanel/users/webmaster' is empty or non-existent. at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 305, <GEN8> line 2.
Cpanel::Config::LoadCpUserFile::_load("webmaster", undef) called at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 204
Cpanel::Config::LoadCpUserFile::load("webmaster") called at /usr/local/cpanel/Cpanel/AcctUtils/Lookup/MailUser.pm line 131
Cpanel::AcctUtils::Lookup::MailUser::lookup_mail_user("webmaster", "") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 195
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x310fe30), "shared", "dovecot_userdb", "webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x310fe30), "Lshared/dovecot_userdb/webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x310fe30)) called at /usr/local/cpanel/Cpanel/Server.pm line 2247
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x2eb2f98)) called at cpsrvd.pl line 1771
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1085
cpanel::cpsrvd::script() called at cpsrvd.pl line 425
[2019-12-20 03:05:12 -0600] warn [cpsrvd] Failed to load cPanel user file for 'webmaster' at /usr/local/cpanel/Cpanel/Config/LoadCpUserFile.pm line 207, <GEN8> line 2.
Cpanel::Config::LoadCpUserFile::load("webmaster") called at /usr/local/cpanel/Cpanel/AcctUtils/Lookup/MailUser.pm line 131
Cpanel::AcctUtils::Lookup::MailUser::lookup_mail_user("webmaster", "") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 195
Cpanel::Server::Dovecot::_handle_dovecot_userdb(Cpanel::Server::Dovecot=HASH(0x310fe30), "shared", "dovecot_userdb", "webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 144
Cpanel::Server::Dovecot::_dovecot_request_handler(Cpanel::Server::Dovecot=HASH(0x310fe30), "Lshared/dovecot_userdb/webmaster") called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 90
eval {...} called at /usr/local/cpanel/Cpanel/Server/Dovecot.pm line 75
Cpanel::Server::Dovecot::handle_cpdoveauthd_request(Cpanel::Server::Dovecot=HASH(0x310fe30)) called at /usr/local/cpanel/Cpanel/Server.pm line 2247
Cpanel::Server::handle_cpdoveauthd_connection(Cpanel::Server=HASH(0x2eb2f98)) called at cpsrvd.pl line 1771
cpanel::cpsrvd::_handle_unix_socket_connection("handle_cpdoveauthd_connection") called at cpsrvd.pl line 1085
cpanel::cpsrvd::script() called at cpsrvd.pl line 425


=> cpsrvd 11.84.0.19 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up SSL support ... Done
==> cpsrvd: transferred port bindings: 10,11,12,3,4,5,6,7,8,9
==> cpsrvd: bound to ports
[2020-01-11 09:25:33 -0600] info [cpsrvd] version 11.84.0.19 online
Timed out (2 seconds) while reading from socket.
[2020-01-11 09:25:49 -0600] info [whostmgrd] Brute force checking was skipped because cphulkd failed to process “root” from “72.177.238.71” for the “system” service.
[2020-01-11 09:26:00 -0600] info [cpaneld] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “system” service.
[2020-01-11 09:26:06 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2020-01-11 09:26:06 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2020-01-11 09:26:32 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-11 09:26:52 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-11 09:27:11 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-11 09:27:25 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
==> cpsrvd 11.84.0.19 started


==> cpsrvd 11.84.0.19 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up SSL support ... Done
==> cpsrvd: transferred port bindings: 10,11,12,3,4,5,6,7,8,9
==> cpsrvd: bound to ports
[2020-01-14 04:49:46 -0600] info [cpsrvd] version 11.84.0.19 online
Timed out (2 seconds) while reading from socket.
[2020-01-14 04:51:36 -0600] info [whostmgrd] Brute force checking was skipped because cphulkd failed to process “root” from “72.177.238.71” for the “system” service.
[2020-01-14 04:51:45 -0600] info [cpaneld] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “system” service.
[2020-01-14 04:51:47 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2020-01-14 04:51:49 -0600] info [whostmgrd] Successfully verified signature for cpanel (key types: release).
[2020-01-14 04:52:08 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-14 04:53:44 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-14 04:53:54 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
[2020-01-14 04:54:19 -0600] info [webmaild] Brute force checking was skipped because cphulkd failed to process “[email protected]” from “72.177.238.71” for the “mail” service.
==> cpsrvd 11.84.0.19 started
==> cpsrvd 11.84.0.21 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up SSL support ... Done
==> cpsrvd: transferred port bindings: 10,11,12,3,4,5,6,7,8,9
==> cpsrvd: bound to ports
[2020-02-13 11:23:45 -0600] info [cpsrvd] version 11.84.0.21 online
[2020-02-13 11:35:53 -0600]: “/usr/local/cpanel/scripts/restartsrv_sshd --restart --hard --attempt 1” called by (3328 - tailwatchd - chkservd - sshd check)
[2020-02-13 11:35:55 -0600]: “/usr/local/cpanel/scripts/restartsrv_spamd --restart --hard --attempt 1” called by (3328 - tailwatchd - chkservd - spamd check)
[2020-02-13 11:35:58 -0600] info [queueprocd] chkservd::Notify Notification => [email protected]***** via EMAIL [eventimportance => High (1)]
[2020-02-13 11:35:58 -0600] warn [queueprocd] Cpanel::Exception::SMTP/(XID cdwvbw) The system failed to connect to an [output,abbr,SMTP,Simple Mail Transfer Protocol] server (127.0.0.1 Timeout 30) because of an error: Connection refused
at /usr/local/cpanel/Cpanel/SMTP.pm line 91.
Cpanel::SMTP::new("Cpanel::SMTP", "127.0.0.1", "Timeout", 30) called at /usr/local/cpanel/Cpanel/SMTP/Singleton.pm line 162
Cpanel::SMTP::Singleton::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x39ca668), Try::Tiny::Catch=REF(0x39ca740)) called at /usr/local/cpanel/Cpanel/SMTP/Singleton.pm line 166
Cpanel::SMTP::Singleton::_ensure_smtp_connection("127.0.0.1") called at /usr/local/cpanel/Cpanel/SMTP/Singleton.pm line 100
Cpanel::SMTP::Singleton::localhost(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at /usr/local/cpanel/Cpanel/Email/Send.pm line 120
Cpanel::Email::Send::__ANON__(Cpanel::Exception::SMTP=HASH(0x39c7918)) called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 118
Try::Tiny::try(CODE(0x39bf2a0), Try::Tiny::Catch=REF(0x39bf258)) called at /usr/local/cpanel/Cpanel/Email/Send.pm line 122
Cpanel::Email::Send::_email_message_using_smtp(HASH(0x392b7f8), HASH(0x39639b0)) called at /usr/local/cpanel/Cpanel/Email/Send.pm line 86
Cpanel::Email::Send::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x39ae9e8), Try::Tiny::Catch=REF(0x37748c0)) called at /usr/local/cpanel/Cpanel/Email/Send.pm line 101
Cpanel::Email::Send::email_message(HASH(0x392b7f8), HASH(0x39639b0)) called at /usr/local/cpanel/Cpanel/iContact/Provider.pm line 71
Cpanel::iContact::Provider::email_message(Cpanel::iContact::Provider::Email=HASH(0x392b648), "html_body", SCALAR(0x2ae9d20), "im_message", "The service \"sshd\" appears to be down.\x{a}\x{a}Server\x{a}\x{a}con.converjam"..., "im_subject", "[MASKED-HOSTNAME] FAILED ???: sshd (MASKED-IP)", "event_name", ...) called at /usr/local/cpanel/Cpanel/iContact/Provider/Email.pm line 32
Cpanel::iContact::Provider::Email::send(Cpanel::iContact::Provider::Email=HASH(0x392b648)) called at /usr/local/cpanel/Cpanel/iContact.pm line 569
Cpanel::iContact::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x380de78), Try::Tiny::Catch=REF(0x3774cb0)) called at /usr/local/cpanel/Cpanel/iContact.pm line 577
Cpanel::iContact::_send_notifications(HASH(0x2adb658), HASH(0x2b08058), ARRAY(0x381c1b8)) called at /usr/local/cpanel/Cpanel/iContact.pm line 524
Cpanel::iContact::icontact("subject", "FAILED \x{e2}\x{9b}\x{94}: sshd (MASKED-IP)", "html_related", ARRAY(0x28eeeb0), "x_headers", HASH(0x3814048), "event_name", "Notify", ...) called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 570
Cpanel::iContact::Class::_todo_inside_daemon(Cpanel::iContact::Class::chkservd::Notify=HASH(0x2875e50)) called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 365
Cpanel::iContact::Class::__ANON__() called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 71
Cpanel::iContact::Class::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x2973288), Try::Tiny::Catch=REF(0x28473a8)) called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 76
Cpanel::iContact::Class::_do_in_foreground(CODE(0x2876a68)) called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 362
Cpanel::iContact::Class::send(Cpanel::iContact::Class::chkservd::Notify=HASH(0x2875e50)) called at /usr/local/cpanel/Cpanel/iContact/Class.pm line 353
Cpanel::iContact::Class::new("Cpanel::iContact::Class::chkservd::Notify", "restart_count", 1, "syslog_messages", "Feb 13 11:35:49 con sshd[2215]: pam_unix(sshd:session): sessi"..., "command_error", "(XID kuacwa) The \x{e2}\x{80}\x{9c}sshd\x{e2}\x{80}\x{9d} service is down.\x{a}\x{a}The subprocess "..., "port", ...) called at /usr/local/cpanel/Cpanel/Notify.pm line 77
Cpanel::Notify::__ANON__() called at /usr/local/cpanel/Cpanel/Notify.pm line 150
Cpanel::Notify::_notification_backend("chkservd::Notify", "failed", 1, CODE(0x2861150)) called at /usr/local/cpanel/Cpanel/Notify.pm line 79
Cpanel::Notify::notification_class("interval", 1, "status", "failed", "class", "chkservd::Notify", "application", "chkservd::Notify", ...) called at /usr/local/cpanel/Cpanel/TaskProcessors/NotificationTasks/Harvester.pm line 66
Cpanel::TaskProcessors::NotificationTasks::Harvester::__ANON__(__CPANEL_HIDDEN__, ARRAY(0x2860df0)) called at /usr/local/cpanel/Cpanel/TaskQueue/SubQueue/Harvester.pm line 123
Cpanel::TaskQueue::SubQueue::Harvester::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97
eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88
Try::Tiny::try(CODE(0x26e23e8), Try::Tiny::Catch=REF(0xb41908)) called at /usr/local/cpanel/Cpanel/TaskQueue/SubQueue/Harvester.pm line 135
Cpanel::TaskQueue::SubQueue::Harvester::harvest("Cpanel::TaskProcessors::NotificationTasks::Harvester", CODE(0x2823328)) called at /usr/local/cpanel/Cpanel/TaskProcessors/NotificationTasks/Harvester.pm line 68
Cpanel::TaskProcessors::NotificationTasks::Harvester::harvest("Cpanel::TaskProcessors::NotificationTasks::Harvester", CODE(0x27bd520)) called at /usr/local/cpanel/Cpanel/TaskProcessors/NotificationTasks.pm line 58
Cpanel::TaskProcessors::NotificationTasks::NotifyFromSubQueue::_do_child_task(Cpanel::TaskProcessors::NotificationTasks::NotifyFromSubQueue=HASH(0xb4e568), Cpanel::TaskQueue::Task=HASH(0x272bbc8), Cpanel::LoggerAdapter=HASH(0xb16960)) called at /usr/local/cpanel/Cpanel/TaskQueue/ChildProcessor.pm line 68
eval {...} called at /usr/local/cpanel/Cpanel/TaskQueue/ChildProcessor.pm line 71
Cpanel::TaskQueue::ChildProcessor::process_task(Cpanel::TaskProcessors::NotificationTasks::NotifyFromSubQueue=HASH(0xb4e568), Cpanel::TaskQueue::Task=HASH(0x272bbc8), Cpanel::LoggerAdapter=HASH(0xb16960), Cpanel::StateFile::Guard=HASH(0x26e22f8)) called at /usr/local/cpanel/Cpanel/TaskQueue/FastSpawn.pm line 24
Cpanel::TaskQueue::FastSpawn::process_task(Cpanel::TaskProcessors::NotificationTasks::NotifyFromSubQueue=HASH(0xb4e568), Cpanel::TaskQueue::Task=HASH(0x272bbc8), Cpanel::LoggerAdapter=HASH(0xb16960), Cpanel::StateFile::Guard=HASH(0x26e22f8)) called at /usr/local/cpanel/Cpanel/TaskQueue.pm line 619
eval {...} called at /usr/local/cpanel/Cpanel/TaskQueue.pm line 619
Cpanel::TaskQueue::process_next_task(Cpanel::TaskQueue=HASH(0x25db8d0)) called at /usr/local/cpanel/Cpanel/QueueProcd/Queueing.pm line 49
eval {...} called at /usr/local/cpanel/Cpanel/QueueProcd/Queueing.pm line 49
Cpanel::QueueProcd::Queueing::queue_process_next_task(Cpanel::TaskQueue=HASH(0x25db8d0), Cpanel::LoggerAdapter=HASH(0xb16960)) called at libexec/queueprocd.pl line 473
libexec::queueprocd::process_tasks(Cpanel::TaskQueue=HASH(0x25db8d0), Cpanel::TaskQueue::Scheduler=HASH(0x25e4910)) called at libexec/queueprocd.pl line 490
libexec::queueprocd::_process_tasks_until_no_more_are_ready(Cpanel::TaskQueue=HASH(0x25db8d0), Cpanel::TaskQueue::Scheduler=HASH(0x25e4910)) called at libexec/queueprocd.pl line 223
libexec::queueprocd::script("libexec::queueprocd", "--reexec") called at libexec/queueprocd.pl line 126
cpsrvd [2026] Shutting down due to SIGTERM
[2020-02-13 11:37:32 -0600]: “/usr/local/cpanel/scripts/restartsrv_spamd --no-verbose” called by (1197 - /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/local/cpanel/scripts/restartsrv_spamd --no-verbose)