cpHulk suddenly blocking logged-in webmail account

[ryodo]

Hi All -
Two weeks ago cpHulk started blocking my RoundCube webmail account sporadically. I wasn't watching to see if a new version of WHM had been installed. The only recent security configuration change was to enable two-factor authentication on individual cPanel accounts. We're running WHM 54.0 (build 21), with both cpHulk and CSF, which have been running nicely together for years.

Looking at the cpHulk history of failed logins, I see many entries for my address before the point I get locked out, even when I've been signed in for a couple of days. I also see multiple "failed" entries for others, who are using Mac Mail, but when I ask them they say they haven't had any login issues. The IP addresses listed in the "failed logins" history are the correct ones for the associated email addresses.

At the point where I used to get the "invalid token" messages, first I get an "unable to load" message, then a database failure message, then invalid login, so it appears to be some kerfuffle resulting from the thrashing around the expired token. I then have to go into cpHulk and clear history and blocked logins to get my mail.

Any ideas why this happens, and how to fix it?

 

[cPanelMichael]

Hello

Could you review /var/log/maillog and /usr/local/cpanel/logs/cphulkd.log for the corresponding time when the account is locked to see what the log output shows?

Thank you.

 

[ryodo]

Hello

Could you review /var/log/maillog and /usr/local/cpanel/logs/cphulkd.log for the corresponding time when the account is locked to see what the log output shows?

Thank you.

Thank you for responding quickly!

Yes, maillog shows several logged-out messages for my account, then a second later the block. I forgot to mention that we recently switched from courier to dovecot, but that was weeks before the new blocking issue.

The logs show I started getting blocked on 3/24/2016.

>>> maillog >>>
I've deleted intervening spamd and pop3 notices:
Apr 11 13:53:27 cp dovecot: imap([email protected]): Logged out in=274, out=5449, bytes=274/5449
...
Apr 11 13:53:33 cp dovecot: imap([email protected]): Logged out in=146, out=2512, bytes=146/2512
Apr 11 13:53:33 cp dovecot: imap([email protected]): Logged out in=4068, out=8871, bytes=4068/8871
Apr 11 13:53:33 cp dovecot: imap([email protected]): Logged out in=724, out=3978, bytes=724/3978

spamd and pop3 logins ......

Apr 11 13:54:52 cp dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user '[email protected]' to access service 'mail' from IP '::1'

spamd ...

Apr 11 13:54:54 cp dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=::1, lip=::1, secured, session=

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

>>> cphulkd.log - several entries today >>>
[2016-04-11 13:27:53 -0700] info [cphulkd] 16399 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[[email protected]] (6/5 failures) (blocked until [Mon Apr 11 20:32:53 2016 UTC/Mon Apr 11 13:32:53 2016 LOCAL])
[2016-04-11 13:54:52 -0700] info [cphulkd] 22565 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[[email protected]] (5/5 failures) (blocked until [Mon Apr 11 20:59:52 2016 UTC/Mon Apr 11 13:59:52 2016 LOCAL])
[2016-04-11 13:57:53 -0700] info [cphulkd] 22991 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[[email protected]] (6/5 failures) (blocked until [Mon Apr 11 21:02:53 2016 UTC/Mon Apr 11 14:02:53 2016 LOCAL])
[2016-04-11 14:30:52 -0700] info [cphulkd] 28062 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[[email protected]] (21/5 failures) (blocked until [Mon Apr 11 21:35:52 2016 UTC/Mon Apr 11 14:35:52 2016 LOCAL])
[2016-04-11 14:33:53 -0700] info [cphulkd] 28383 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[[email protected]] (22/5 failures) (blocked until [Mon Apr 11 21:38:53 2016 UTC/Mon Apr 11 14:38:53 2016 LOCAL])

 

[cPanelMichael]

Hello

Internal case CPANEL-5175 addresses an issue where cPHulk logs successful logins as failed logins when Two-Factor authentication is enabled on the system, and the IP from which the successful login takes place is whitelisted in cPHulk:

Fixed case CPANEL-5175: CPHulk: Ensure successful logins are not improperly marked as failed.

The resolution is included in cPanel version 56, which is currently available on the "Edge" and "Current" build tiers. The temporary workaround is to disable "Two-Factor Authentication" if you prefer to remain on version 54.

Thank you.

 

[ryodo]

Thank you for letting me know!