SOLVED CPHULKD not working not creating rules

[mikeserv]

Hello

I very recently got a new server with Centos 7.9 and WHM/Cpanel V98.0.4

I can't seem to get CPHulkD working. The end result is that there are no iptables rule chain or rules being created.

I do not have "firewalld" enabled.

It does not seem like cPhulkd - processor or cPhulkd - dbprocessor are doing anything. The service is starting and shows as enabled in WHM but they are never using any CPU time or anything. I do not have them "dormant" I unchecked that for cphulkd (for troubleshooting purposes). That should be quite active.

How can I even tell if I have a cphulkd database? It doesn't show up in the mysql interface (only site databases)

[[email protected] logs]# ps aux | grep -i cphulk
root 1869 0.0 0.0 189928 12732 ? Ss 17:16 0:00 cPhulkd - processor
root 2142 0.0 0.0 154000 12392 ? S 17:16 0:00 cPhulkd - dbprocessor

I have "block IP addresses at the firewall level" options enabled for both "brute force" and "one-day block" as I always had on previous servers.

I am not seeing anything interesting in cphulkd_errors.log

I need this to work, because I constantly get hammered with failed login attempts.

 

[mikeserv]

It seems to be only monitoring dovecot, but it's not adding its iptables rule chain or any entries for the failed login attempts.

It's also not logging any errors, and I turned on debug. cphulkd_errors.log is getting no entries, and cphulkd.log just seems to be logging whitelisted dovecot events. It's not doing anything for sshd or anything else.

So it doesn't seem that it's going for logs or PAM authentication failures. Could it have something to do with the logs? I do have rsyslogd and it's writing the usual log files to /var/log. If I tail -f /var/log/secure there are all kinds of failed sshd logins going on, pretty much constantly.

Systemd-journald is using Storage=auto and is also keeping system.journal in /run/log/journal/

Something wrong with those "keys" for accessing the data for those services perhaps? I should think there would be errors of some sort.

 

[ankeshanand]

cPHulk Daemon is for Preventing only Bruteforce Attacks. For Managing IPtables and Firewall, You need to Install CSF Firewall.

 

[cPRex]

cPHulk can definitely interface with the firewall. There are various options, such as these two that would interact with the server's firewall, mentioned by @mikeserv

Block IP addresses at the firewall level if they trigger brute force protection —Whether you wish to automatically add IP addresses that trigger brute force protection to the firewall.

Block IP addresses at the firewall level if they trigger a one-day block — Whether you wish to automatically add IP addresses that trigger a one-day block to the firewall. This option writes a new iptables rule and requires iptables version 1.4 or higher. This checkbox defaults to selected.

cPHulk uses an SQLite database, so you would not see that with any MySQL commands. Details on that can be found here, as that behavior was changed in version 62:

cPHulk Management on the Command Line | cPanel & WHM Documentation

This document describes how to manage cPHulk from the command line.

docs.cpanel.net

If you're not seeing anything being written, are you sure there are failed logins triggering cPHulk? It might be best to have our team examine the server and check things out - if you decide to submit a ticket please post the number here so I can follow along and keep this thread updated.

 

[mikeserv]

Oh yes, I'm sure there are failed logins but they aren't triggering CPHulk. In the 6 hours I slept there are 800+ failed sshd logins for the root account alone, and right now there's a run going on from the same IP address (tail -f /var/log/secure) which should be triggering it.

I'll consider a support ticket if I can't figure this out very soon, though I was just hoping for a bit of advice.

 

[cPRex]

From what you said in the first post, you've already checked the common things, and even mentioned there weren't any logs being generated, so I don't have any other ideas on what the cause could be based on that.

 

[mikeserv]

I do very much appreciate your consideration and I did have every intention of following up with a solution if I found one.

However, it doesn't seem that I'm going to solve this by hunting and poking, I can see nothing wrong. So I submitted a support ticket as suggested.

Ticket ID #94354410

 

[mikeserv]

So the problem turned out to be missing PAM configuration for the pam_hulk.so module, "required pam_hulk.so" in /etc/pam.d/password-auth and system-auth

Had I known about it, a command to fix it would have been:

"/usr/local/cpanel/bin/cphulk_pam_ctl --enable"

Thanks, folks.

 

[cPRex]

I'm glad our team was able to help out with that issue!