The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cphulk

Discussion in 'General Discussion' started by offline, Mar 12, 2009.

  1. offline

    offline Member

    Joined:
    Jul 10, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Can anyone tell me what cpanel hulk does? I understand what something like fail2ban does, it analayzes logs then makes entries into iptables for block someone's IP address. How do hulk work and what does it protect?

    Thanks,

    Chris Edwards
     
  2. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    cPHulk looks for logins for PAM services. Based on your configuration, it will block an IP after a specified number of failed logins from a specific IP (or for a specific account) for a specific period of time.
     
  3. offline

    offline Member

    Joined:
    Jul 10, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hmm interesting, What services/ports does it cover? When it bans an IP I noticed that they can continue to try to login but they are blocked at the PAM level? Is there a file/log that is created that shows you which IP's are blocked?
     
  4. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    It covers: cPanel, WHM, FTP, SSH, and I may be forgetting some more which I'll track down.

    We intentionally allow continued login attempts as to not notify the attacker that they should start changing their strategy.

    In WHM, you can see the log of blocked IPs. It's in the Security Center.
     
  5. elkram

    elkram Active Member

    Joined:
    Nov 21, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Here's an excerpt from my /usr/local/cpanel/logs/error_log. Is this anything to worry about?

    Code:
    2009-03-13 16:44:54 info [cphulkd] [31754] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 31753
    2009-03-13 16:44:55 info [cphulkd] [31754] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:15:15 info [cphulkd] [7325] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 7324
    2009-03-13 17:15:16 info [cphulkd] [7325] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:30:25 info [cphulkd] [9268] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 9267
    2009-03-13 17:30:25 info [cphulkd] [9280] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
    2009-03-13 17:30:25 info [cphulkd] [9275] Waiting for lock on /var/cpanel/hulkdpass held by cPhulkd - processor - locking /var/cpanel/hulkdpass with pid 9273
    2009-03-13 17:30:26 info [cphulkd] [9268] Lock file /root/.my.cnf.lock now gone, try to acquire
    2009-03-13 17:30:26 info [cphulkd] [9280] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:30:26 info [cphulkd] [9275] Lock file /var/cpanel/hulkdpass.lock now gone, try to acquire
    2009-03-13 17:45:31 info [cphulkd] [10160] Waiting on invalid lock /var/cpanel/hulkdpass.lock for 60 seconds
    2009-03-13 18:14:56 info [cphulkd] [16101] Waiting for lock on /root/.my.cnf held by cPhulkd - processor - locking /root/.my.cnf with pid 16099
    2009-03-13 18:14:57 info [cphulkd] [16101] Lock file /root/.my.cnf.lock now gone, try to acquire
    Plus, cPHulk never seems to add anything to its database.
    Thanks.
     
  6. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Looks like some file locking issues which may or not be related to a bad drive. Please send in a support request so we can take a look. Thanks!
     
  7. elkram

    elkram Active Member

    Joined:
    Nov 21, 2004
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, Dave. I think I need to go through my provider as I am not the cPanel licensee.
     
  8. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Surely. If your provider is unable to track it down quickly, they can send it up to us.
     
Loading...

Share This Page