cPHulk reports no IP address!!!

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
cPHulk shows attacks that have no IP address on the authentication service "system".

Anyone knows what is this "system" service? and why there are no IPs reported? We get thousands of lines like the following:

Code:
 apache		system	2009-02-16 05:31:39
 user		system	2009-02-16 05:31:38
 admin		system	2009-02-16 05:31:38
 web		system	2009-02-16 05:31:36
 postfix	system	2009-02-16 05:31:32
 guest		system	2009-02-16 05:31:31
 linux		system	2009-02-16 05:31:31
 david		system	2009-02-16 05:31:30
 web		system	2009-02-16 05:31:29
 root		system	2009-02-16 05:31:25
 

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
I'm using the latest STABLE: cPanel 11.24.4-S33345 - WHM 11.24.2 - X 3.9
 

jeck

Member
Mar 23, 2006
6
0
151
Hello,
I have the same problem. I'm using WHM 11.25.0 - X 3.9.
For more than one day now someone is trying to login to one email account on my server.

cphulk shows:

User IP Authentication Service Login Time
[email protected] mail 2009-10-22 11:49:09
[email protected] mail 2009-10-22 11:47:02
[email protected] mail 2009-10-22 11:48:52
[email protected] mail 2009-10-22 11:48:53

Ip is empty ... So cphulk doesn't block the failed login attempts and they just keep trying ...

Have checked exim mainlog. Ip's are visible there.

The problem is cphulk not being able to block the ip's automatically.

What can I do?
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
There are two different problems that appear to be mentioned according to the output provided. If you are experiencing a specific issue with cPHulkd, please consider submitting a ticket so that we can take a thorough look at what may be happening in your unique situation.

If an IP address is not shown, it likely means that the IP address was not provided to cphulk for the method of access that was attempted. If cphulkd does not receive the IP, for example, from "courier-auth" (if using Courier for your POP3/IMAP server), then there will not be an IP available to display.