Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPHulkd blocking 127.0.0.1

Discussion in 'E-mail Discussion' started by Lorri Nevil, May 9, 2019.

Tags:
  1. Lorri Nevil

    Lorri Nevil Registered

    Joined:
    May 9, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've spent a good deal of time, reached out to my server host, and was told I need to ask here.
    I have roundcube and horde disabled from accounts as they are not used.
    My logs are full of blocks for 127.0.0.1.
    latest examples: (email removed - non existant email - all the same in this example)
    I can't figure out what is happening, why "real" IP is not logged. I did search many different ways before asking. I saw some posts that I thought would address my issue, but the IP address was captured. thank you in advance.

    [2019-05-10 00:10:54 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:20:54 2019 UTC/Fri May 10 00:20:54 2019 LOCAL])
    [2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
    [2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
    [2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
    [2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
    [2019-05-10 00:11:41 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:41 2019 UTC/Fri May 10 00:21:41 2019 LOCAL])
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,273
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Lorri Nevil,

    Let's say a cPanel user creates a PHP script like the one on this document and attempts to authenticate as another user to cPanel or WHM. cPhulk will track these login attempts and report the IP address as originating from the local server (e.g. localhost, 127.0.0.1).

    You may want to search through your Apache domain access logs (/usr/local/apache/domlogs/) for the date/times in your cPHulk logs to see if you notice any corresponding activity.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Lorri Nevil

    Lorri Nevil Registered

    Joined:
    May 9, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thank you @cPanelMichael
    I will do that. My server is pretty much locked down - there *shouldn't* be anyone on that I don't know as it's not open to just create an account. I just tweaked a few more things but that hasn't subsided.
     
  4. Lorri Nevil

    Lorri Nevil Registered

    Joined:
    May 9, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    @cPanelMichael
    I just went to check current running processes (Home » System Health » Process Manager)
    and it gives me A warning occurred while processing this directive.
    lots of info starting with Entry for dovecot missing in /etc/shadow at /usr/local/cpanel/Cpanel/PwCache/Helpers.pm line 30 (plus other lines) - 6 boxes like this actually - exactly the same. I've searched for the first line to see if anyone else had the issue - only seeing a return of a few Entry for r00t missing in /etc/shadow - is this an unusual issue?
    Thank you
     

    Attached Files:

  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,273
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Lorri Nevil,

    Can you open a support ticket so we can take a closer look to see why that error message is appearing? You can post the ticket number here and we'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice