The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting blocked by cpHulk due BF attacks

Discussion in 'cPanel Developers' started by douglatz, Jul 7, 2008.

  1. douglatz

    douglatz Member

    Joined:
    Oct 15, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I've been locked out of my root account on my cPanel server several times now due to BF attacks against root. Is there any way I can configure a 'safe' IP address that will allow me to bypass the cpHulk block? (i.e. setting a static IP address that my computer is on to always be allowed access)

    Thanks!

    Douglas
     
  2. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    Assuming you're not BF'ing yourself and getting your IP blocked, you could just create a reseller with root privileges and use the root password override login to the WHM as the reseller to flush the brutes database.

    It's not elegant, but would work. We'll likely add a more clean solution in future builds.
     
  3. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Just to add, while it sounds silly, a common thing I encountered when I was learning to use the XML-API is that the script wouldn't properly login to my account (coder error). This in turn caused what appeared to be brute force attempts when I would test this script.

    Anyone using any sort of utilities that would use the APIs or for some reason would login to WHM on your behelf should consider these possibilities when encountering a situation such as this.
     
  4. douglatz

    douglatz Member

    Joined:
    Oct 15, 2007
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    It would be kind of nice if there was a local console override for cpHulk. Because, yes, it even locks out access from the console.
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The cpHulk database can be wiped via WHM, or manually using the command mentioned at:

    http://forums.cpanel.net/showthread.php?t=98297
     
  6. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    127.0.0.1 is being blocked by cPhulk

    There appears to be something *different* going on here. The 127.0.0.1 address is being blocked by different hosting accounts failing to login to their webmail service.

    cPHulk id now recording mail service/localhost login failures...this isn't the same behavior as before.

    So when a user tries to login to Webmail, instead of their public IP address getting listed in cphulk, its is blocking 127.0.0.1!!

    Nov 17 10:07:37 server22 cphulkd[20721]: Connection service=mail ip=127.0.0.1 port= user=xxxxx@yyyyy.com blocked by cphulkd (IP Address listed as brute numfailed=15 max=15)
     
Loading...

Share This Page