SOLVED CPHULKD not working not creating rules

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
Hello

I very recently got a new server with Centos 7.9 and WHM/Cpanel V98.0.4

I can't seem to get CPHulkD working. The end result is that there are no iptables rule chain or rules being created.

I do not have "firewalld" enabled.

It does not seem like cPhulkd - processor or cPhulkd - dbprocessor are doing anything. The service is starting and shows as enabled in WHM but they are never using any CPU time or anything. I do not have them "dormant" I unchecked that for cphulkd (for troubleshooting purposes). That should be quite active.

How can I even tell if I have a cphulkd database? It doesn't show up in the mysql interface (only site databases)

[[email protected] logs]# ps aux | grep -i cphulk
root 1869 0.0 0.0 189928 12732 ? Ss 17:16 0:00 cPhulkd - processor
root 2142 0.0 0.0 154000 12392 ? S 17:16 0:00 cPhulkd - dbprocessor

I have "block IP addresses at the firewall level" options enabled for both "brute force" and "one-day block" as I always had on previous servers.

I am not seeing anything interesting in cphulkd_errors.log

I need this to work, because I constantly get hammered with failed login attempts.
 

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
It seems to be only monitoring dovecot, but it's not adding its iptables rule chain or any entries for the failed login attempts.

It's also not logging any errors, and I turned on debug. cphulkd_errors.log is getting no entries, and cphulkd.log just seems to be logging whitelisted dovecot events. It's not doing anything for sshd or anything else.

So it doesn't seem that it's going for logs or PAM authentication failures. Could it have something to do with the logs? I do have rsyslogd and it's writing the usual log files to /var/log. If I tail -f /var/log/secure there are all kinds of failed sshd logins going on, pretty much constantly.

Systemd-journald is using Storage=auto and is also keeping system.journal in /run/log/journal/

Something wrong with those "keys" for accessing the data for those services perhaps? I should think there would be errors of some sort.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,519
1,027
313
cPanel Access Level
Root Administrator
cPHulk can definitely interface with the firewall. There are various options, such as these two that would interact with the server's firewall, mentioned by @mikeserv

Code:
Block IP addresses at the firewall level if they trigger brute force protection —Whether you wish to automatically add IP addresses that trigger brute force protection to the firewall.

Block IP addresses at the firewall level if they trigger a one-day block — Whether you wish to automatically add IP addresses that trigger a one-day block to the firewall. This option writes a new iptables rule and requires iptables version 1.4 or higher. This checkbox defaults to selected.
cPHulk uses an SQLite database, so you would not see that with any MySQL commands. Details on that can be found here, as that behavior was changed in version 62:


If you're not seeing anything being written, are you sure there are failed logins triggering cPHulk? It might be best to have our team examine the server and check things out - if you decide to submit a ticket please post the number here so I can follow along and keep this thread updated.
 

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
Oh yes, I'm sure there are failed logins but they aren't triggering CPHulk. In the 6 hours I slept there are 800+ failed sshd logins for the root account alone, and right now there's a run going on from the same IP address (tail -f /var/log/secure) which should be triggering it.

I'll consider a support ticket if I can't figure this out very soon, though I was just hoping for a bit of advice.
 

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
I do very much appreciate your consideration and I did have every intention of following up with a solution if I found one.

However, it doesn't seem that I'm going to solve this by hunting and poking, I can see nothing wrong. So I submitted a support ticket as suggested.

Ticket ID #94354410
 

mikeserv

Member
Aug 15, 2021
6
1
3
Ontario, Canada
cPanel Access Level
Root Administrator
So the problem turned out to be missing PAM configuration for the pam_hulk.so module, "required pam_hulk.so" in /etc/pam.d/password-auth and system-auth

Had I known about it, a command to fix it would have been:

"/usr/local/cpanel/bin/cphulk_pam_ctl --enable"

Thanks, folks.