Lorri Nevil

Registered
May 9, 2019
3
0
1
USA
cPanel Access Level
Root Administrator
I've spent a good deal of time, reached out to my server host, and was told I need to ask here.
I have roundcube and horde disabled from accounts as they are not used.
My logs are full of blocks for 127.0.0.1.
latest examples: (email removed - non existant email - all the same in this example)
I can't figure out what is happening, why "real" IP is not logged. I did search many different ways before asking. I saw some posts that I thought would address my issue, but the IP address was captured. thank you in advance.

[2019-05-10 00:10:54 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:20:54 2019 UTC/Fri May 10 00:20:54 2019 LOCAL])
[2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (10/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
[2019-05-10 00:11:09 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:09 2019 UTC/Fri May 10 00:21:09 2019 LOCAL])
[2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (11/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
[2019-05-10 00:11:25 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:25 2019 UTC/Fri May 10 00:21:25 2019 LOCAL])
[2019-05-10 00:11:41 -0400] info [cPhulkd] Login Blocked: Too many failures for this username for this authentication database. [Service]=[dovecot] [Local IP Address]=[127.0.0.1] [Remote IP Address]=[127.0.0.1] [Authentication Database]=[mail] [Username]=[email-removed] (12/10 failures) (blocked until [Fri May 10 04:21:41 2019 UTC/Fri May 10 00:21:41 2019 LOCAL])
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @Lorri Nevil,

Let's say a cPanel user creates a PHP script like the one on this document and attempts to authenticate as another user to cPanel or WHM. cPhulk will track these login attempts and report the IP address as originating from the local server (e.g. localhost, 127.0.0.1).

You may want to search through your Apache domain access logs (/usr/local/apache/domlogs/) for the date/times in your cPHulk logs to see if you notice any corresponding activity.

Thank you.
 

Lorri Nevil

Registered
May 9, 2019
3
0
1
USA
cPanel Access Level
Root Administrator
@cPanelMichael
I just went to check current running processes (Home » System Health » Process Manager)
and it gives me A warning occurred while processing this directive.
lots of info starting with Entry for dovecot missing in /etc/shadow at /usr/local/cpanel/Cpanel/PwCache/Helpers.pm line 30 (plus other lines) - 6 boxes like this actually - exactly the same. I've searched for the first line to see if anyone else had the issue - only seeing a return of a few Entry for r00t missing in /etc/shadow - is this an unusual issue?
Thank you
 

Attachments