The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulk suddenly blocking logged-in webmail account

Discussion in 'Security' started by ryodo, Apr 11, 2016.

Tags:
  1. ryodo

    ryodo Member

    Joined:
    Oct 3, 2012
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Hi All -
    Two weeks ago cpHulk started blocking my RoundCube webmail account sporadically. I wasn't watching to see if a new version of WHM had been installed. The only recent security configuration change was to enable two-factor authentication on individual cPanel accounts. We're running WHM 54.0 (build 21), with both cpHulk and CSF, which have been running nicely together for years.

    Looking at the cpHulk history of failed logins, I see many entries for my address before the point I get locked out, even when I've been signed in for a couple of days. I also see multiple "failed" entries for others, who are using Mac Mail, but when I ask them they say they haven't had any login issues. The IP addresses listed in the "failed logins" history are the correct ones for the associated email addresses.

    At the point where I used to get the "invalid token" messages, first I get an "unable to load" message, then a database failure message, then invalid login, so it appears to be some kerfuffle resulting from the thrashing around the expired token. I then have to go into cpHulk and clear history and blocked logins to get my mail.

    Any ideas why this happens, and how to fix it?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you review /var/log/maillog and /usr/local/cpanel/logs/cphulkd.log for the corresponding time when the account is locked to see what the log output shows?

    Thank you.
     
  3. ryodo

    ryodo Member

    Joined:
    Oct 3, 2012
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Thank you for responding quickly!

    Yes, maillog shows several logged-out messages for my account, then a second later the block. I forgot to mention that we recently switched from courier to dovecot, but that was weeks before the new blocking issue.

    The logs show I started getting blocked on 3/24/2016.

    >>> maillog >>>
    I've deleted intervening spamd and pop3 notices:
    Apr 11 13:53:27 cp dovecot: imap(me@my.com): Logged out in=274, out=5449, bytes=274/5449
    ...
    Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=146, out=2512, bytes=146/2512
    Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=4068, out=8871, bytes=4068/8871
    Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=724, out=3978, bytes=724/3978

    spamd and pop3 logins ......

    Apr 11 13:54:52 cp dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'me@my.com' to access service 'mail' from IP '::1'

    spamd ...

    Apr 11 13:54:54 cp dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=::1, lip=::1, secured, session=

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    >>> cphulkd.log - several entries today >>>
    [2016-04-11 13:27:53 -0700] info [cphulkd] 16399 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (6/5 failures) (blocked until [Mon Apr 11 20:32:53 2016 UTC/Mon Apr 11 13:32:53 2016 LOCAL])
    [2016-04-11 13:54:52 -0700] info [cphulkd] 22565 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (5/5 failures) (blocked until [Mon Apr 11 20:59:52 2016 UTC/Mon Apr 11 13:59:52 2016 LOCAL])
    [2016-04-11 13:57:53 -0700] info [cphulkd] 22991 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (6/5 failures) (blocked until [Mon Apr 11 21:02:53 2016 UTC/Mon Apr 11 14:02:53 2016 LOCAL])
    [2016-04-11 14:30:52 -0700] info [cphulkd] 28062 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (21/5 failures) (blocked until [Mon Apr 11 21:35:52 2016 UTC/Mon Apr 11 14:35:52 2016 LOCAL])
    [2016-04-11 14:33:53 -0700] info [cphulkd] 28383 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (22/5 failures) (blocked until [Mon Apr 11 21:38:53 2016 UTC/Mon Apr 11 14:38:53 2016 LOCAL])
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case CPANEL-5175 addresses an issue where cPHulk logs successful logins as failed logins when Two-Factor authentication is enabled on the system, and the IP from which the successful login takes place is whitelisted in cPHulk:

    Fixed case CPANEL-5175: CPHulk: Ensure successful logins are not improperly marked as failed.

    The resolution is included in cPanel version 56, which is currently available on the "Edge" and "Current" build tiers. The temporary workaround is to disable "Two-Factor Authentication" if you prefer to remain on version 54.

    Thank you.
     
  5. ryodo

    ryodo Member

    Joined:
    Oct 3, 2012
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Thank you for letting me know!
     
Loading...

Share This Page