Invalid Login when attempting to tether caused by cPHulk

[davidpbj]

Hi,

Up until a few weeks ago, I'd never had any problems connecting to WHM/cPanel (with cPHulk enabled) when tethering my Macbook Air off of my iPad. A few weeks ago, I hardened my server by following many of the suggestions that CSF gives and I am now unable to connect via my tethered laptop. Each time I attempt to connect while tethered, I get an "Invalid Login" error. I am also unable to connect to the server via SSH and FTP but I have no issues connecting to sites via port 80. I have no issues connecting to WHM/cPanel/FTP from home, on the same computer when its connected via wi-fi (with or without my IP whitelisted). cPHulk doesn't show anything in its brute force logs. The problem persists with CSF completely disabled. I disabled Cookie IP Validation in WHM as well. Login_log gives shows the following when I attempt to connect to WHM with root, while tethered:

166.171.123.61 - root [10/16/2014:09:47:26 -0000] "GET /cpsess8614179331/scripts/command?PFILE=main HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 166.171.123.61
166.171.123.61 - root [10/16/2014:09:47:39 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 166.171.123.61

But if I disable cPHulk, I have no issues and with Cookie IP Validation disabled, I can seamlessly transfer between wi-fi and tethering without having to re-authenticate. Obviously, I do not want to leave cPHulk disabled but I am unsure as to which change in settings that I made (at CSF's recommendation) is causing this issue.

Any help with this matter would be appreciated. Thanks.

 

[cPanelMichael]

Hello

Accounts can be locked out by cPhulk, not just the individual IP addresses. You may want to consider using CSF instead of cPHulk, as CSF will not lock you out of "root" during a brute force attack.

Thank you.

 

[davidpbj]

Thanks for the reply. I now disable cPHulk as required. Do you know what setting I messed with to cause cPHulk to become so sensitive? It's not like I'm trying to login multiple times; the 1st time I attempt to login I get the "Invalid Login" error. I'm not sure why the logs show a "brute force" attempt; cPHulk logs don't show any actual brute force attacks occurring against my server inside that time frame. Thanks.

 

[cPanelMichael]

cPhulk is configured via:

"WHM Home » Security Center » cPHulk Brute Force Protection"

It's likely one of the following options was triggered:

Maximum Failures By Account
Maximum Failures Per IP

You can enable "Send notification when brute force user is detected" should you decide to utilize cPhulk in the future so an alert is sent when a brute force user is detected.

Thank you.

 

[davidpbj]

Thanks, but I am familiar with how to configure cPhulk. My original question remains: What ELSE would I have to change for cPhulk to suddenly begin demonstrating this behavior. No changes were made to cPhulk itself but I did follow the CSF recommendations to "harden" the server. Something that I did there is what caused cPhulk to behave this way. Before that point in time, I could login fine via tethering. Plus, I get the "Invalid Login" immediately upon trying to login while tethered - I'm not given a chance to even come close to the Maximum Failures By Account/Per IP thresholds. Also, I'm not getting any notification from the server when I get the "Invalid Login"; and I know that the function does work because I'll still occasionally get a notification about somebody (from a non-blocked country) attempting to brute force an account.

 

[Infopro]

Not sure I understand this completely, but am wondering about this comment:

But if I disable cPHulk, I have no issues and with Cookie IP Validation disabled, I can seamlessly transfer between wi-fi and tethering without having to re-authenticate.

You're changing IP addresses when you do this, correct?