The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Invalid Login when attempting to tether caused by cPHulk

Discussion in 'General Discussion' started by davidpbj, Oct 16, 2014.

  1. davidpbj

    davidpbj Member

    Joined:
    Jul 14, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Phoenix, AZ
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,

    Up until a few weeks ago, I'd never had any problems connecting to WHM/cPanel (with cPHulk enabled) when tethering my Macbook Air off of my iPad. A few weeks ago, I hardened my server by following many of the suggestions that CSF gives and I am now unable to connect via my tethered laptop. Each time I attempt to connect while tethered, I get an "Invalid Login" error. I am also unable to connect to the server via SSH and FTP but I have no issues connecting to sites via port 80. I have no issues connecting to WHM/cPanel/FTP from home, on the same computer when its connected via wi-fi (with or without my IP whitelisted). cPHulk doesn't show anything in its brute force logs. The problem persists with CSF completely disabled. I disabled Cookie IP Validation in WHM as well. Login_log gives shows the following when I attempt to connect to WHM with root, while tethered:

    Code:
    166.171.123.61 - root [10/16/2014:09:47:26 -0000] "GET /cpsess8614179331/scripts/command?PFILE=main HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 166.171.123.61
    166.171.123.61 - root [10/16/2014:09:47:39 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 166.171.123.61
    
    But if I disable cPHulk, I have no issues and with Cookie IP Validation disabled, I can seamlessly transfer between wi-fi and tethering without having to re-authenticate. Obviously, I do not want to leave cPHulk disabled but I am unsure as to which change in settings that I made (at CSF's recommendation) is causing this issue.

    Any help with this matter would be appreciated. Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Accounts can be locked out by cPhulk, not just the individual IP addresses. You may want to consider using CSF instead of cPHulk, as CSF will not lock you out of "root" during a brute force attack.

    Thank you.
     
  3. davidpbj

    davidpbj Member

    Joined:
    Jul 14, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Phoenix, AZ
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for the reply. I now disable cPHulk as required. Do you know what setting I messed with to cause cPHulk to become so sensitive? It's not like I'm trying to login multiple times; the 1st time I attempt to login I get the "Invalid Login" error. I'm not sure why the logs show a "brute force" attempt; cPHulk logs don't show any actual brute force attacks occurring against my server inside that time frame. Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    cPhulk is configured via:

    "WHM Home » Security Center » cPHulk Brute Force Protection"

    It's likely one of the following options was triggered:

    Maximum Failures By Account
    Maximum Failures Per IP


    You can enable "Send notification when brute force user is detected" should you decide to utilize cPhulk in the future so an alert is sent when a brute force user is detected.

    Thank you.
     
  5. davidpbj

    davidpbj Member

    Joined:
    Jul 14, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Phoenix, AZ
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks, but I am familiar with how to configure cPhulk. My original question remains: What ELSE would I have to change for cPhulk to suddenly begin demonstrating this behavior. No changes were made to cPhulk itself but I did follow the CSF recommendations to "harden" the server. Something that I did there is what caused cPhulk to behave this way. Before that point in time, I could login fine via tethering. Plus, I get the "Invalid Login" immediately upon trying to login while tethered - I'm not given a chance to even come close to the Maximum Failures By Account/Per IP thresholds. Also, I'm not getting any notification from the server when I get the "Invalid Login"; and I know that the function does work because I'll still occasionally get a notification about somebody (from a non-blocked country) attempting to brute force an account.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Not sure I understand this completely, but am wondering about this comment:

    You're changing IP addresses when you do this, correct?
     
Loading...

Share This Page