Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cphulkd internal errors

Discussion in 'Security' started by Eric Wheeler, Apr 11, 2018.

  1. Eric Wheeler

    Eric Wheeler Registered

    Joined:
    Apr 11, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hello all,

    We are getting the same error in this 2 year old thread, so we are opening a new thread:



    This is our version: 11.58.0.52

    Apr 11 05:30:06 web1 dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process "info@example.com" from "IP '3.4.5.6'" for the "smtp" service.
    Apr 11 05:30:08 web1 dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process "shaaspd" from "IP '1.2.3.4'5'" for the "pop3" service.
    Apr 11 05:30:14 web1 dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process "postmaster@example.com" from "IP '1.2.3.4'" for the "imap" service.



    We have reset the cphulkd database and confirmed that we can log into cphulkd's database using the credentials in /var/cpanel/hulkd/password, so I am not sure what else to check.

    What do we do next?

    Thank you for your help!
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @Eric Wheeler

    Looking back through our internal cases CPANEL-1754 (which was noted in the other thread) was marked as something that we will not fix as it is not actually an issue. This error was found to be occurring during a failed login attempt making it a justified error.

    Are you experiencing adverse behavior you believe to be related to this error?

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Eric Wheeler

    Eric Wheeler Registered

    Joined:
    Apr 11, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Maybe you can help me understand, because I thought failed logins were supposed to be reported to cphulkd---but the error appears to indicate that cphulkd cannot be notified.

    We are not having any adverse effects, but I want to make sure that cphulkd is correctly blocking password guessing attacks.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi,

    I agree that it does seem misleading and this was noted in the case as well. The best way to confirm this would be to go to WHM>>Security Center>>cPHulk Brute Force Protection -> History reports and attempt to compare these log entries with present blocks.

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Eric Wheeler

    Eric Wheeler Registered

    Joined:
    Apr 11, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    The cphulkd database shows this line:

    adam@example.com 222.120.247.207 mail pop3 2018-04-13 14:39:19 2018-04-13 20:39:19 198

    And our logs show entries like this:

    Apr 13 14:50:54 web1 dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process "anderson@example.com" from "IP '222.120.247.207'" for the "pop3" service.

    Note that anderson@example.com does not exist in the cphulkd database. I am guessing that this error is telling us that it was for some reason unable to insert the entry into the database for this IP.

    The question is, why?

    Can you confirm whether cphulkd will "fail to process" the entry because the IP is already blocked?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    Can you confirm that the IP address is blocked, it's not actually skipping per the internal case. From the internal case directly:

    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Eric Wheeler

    Eric Wheeler Registered

    Joined:
    Apr 11, 2018
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Yes the IP is blocked, but as noted above in the previous post, the entry for "anderson@example.com" is missing from cPHulkd. Other users for that IP exist and are blocked, but not the one that the log references.

    Shouldn't the log reference all failed attempts, even if the IP is already blocked?
     
  8. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,116
    Likes Received:
    216
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Eric Wheeler

    I agree with you that it should, but it does appear that it's skipping adding the username in the event that the IP address is already blocked as you assumed previously. While the case does make note of the potential confusion the log entry makes if you would like for us to take a closer look I would encourage you to use the link in my signature to open a ticket.


    Thank you,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice