Locked out of WHM and SSH password root login

[BianchiDude]

This morning I had a few server today where I was locked out of WHM and SSH password root login. Luckily I had an SSH key, I tried resetting the password, no luck, non-root users could SSH in OK.

I ran upcp and then was able to log in.

Did anyone else have this problem?

 

[cPanelMichael]

Hello

I suggest checking the brute force history via:

"WHM >> Security Center >> cPHulk Brute Force Protection"

It's possible the "root" user was locked out by cPhulk, thus you were unable to login. You can also search for your IP address in:

# /usr/local/cpanel/logs/cphulkd.log

Thank you.

 

[texo]

No, this happened to me today as well. Not using cphulk.
Luckily I too had SSH key access (from another server which backs up to the server I was locked out of).
I changed root password via SSH from the second server, but that didn't make any difference.

I then thought to check sshd config file and saw that allow root login was commented out (disallowing root access via SSH).

Don't know how this happened, I am the only person with access to this server.

 

[tmyrdal]

Me also is experiance this Im totaly locked out now, I can log in to my server with SSH but when I write passwd and then write in my new password. Its seams to work as I dont get anny error message. But I cant still not log in to root WHM in webbrowser.

 

[cPanelMichael]

Me also is experiance this Im totaly locked out now, I can log in to my server with SSH but when I write passwd and then write in my new password. Its seams to work as I dont get anny error message. But I cant still not log in to root WHM in webbrowser.

Could you let us know if you checked to see if cPHulkd was the culprit?

Thank you.

 

[tomxml]

I am having the same problem. I am unable to log in with root to WHM nor to SSH. I am able to log in with other users though from the same IP.
On some servers I had a reseller account with all permissions, so I was able to white list my IP after loggin in.
Then I was able to log in as root again.

It does not seem like a normal brute force, because usually it blocks an IP, not a user.
Can it be that a user (root) has been blocked?
What can I do if the root user is blocked and I cannot access WHM nor SSH?
Is there any way to solve this issue?

Thanks

 

[cPanelMichael]

Yes, it's possible for cPHulk to prevent users from authenticating. There is setting for this in "WHM Home » Security Center » cPHulk Brute Force Protection":

"Maximum Failures By Account"

You can wait for the lockout time period to end, or consult with your data center/hosting provider to have them disable cPHulk with console access via the following commands:

for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable

Thank you.

 

[mjdj1999]

I am having an issue. I am locked out of my WHM and cannot access it by SSH. I have been getting several emails stating failed login attempts (10-15 a day) from China mostly. I'm not sure if I have been hacked or not. I dont know if it was cPHulk or not. I have recently disabled CSF (2 days ago) and have been in WHM several times since. What are my options? I have many clients hosting on this system and I dont have any backups because I was recently moving to another backup option from my datacenter.

Please help. Only God knows what is happening to my system at this moment.

Thank you in advance.
DJ

I am using the latest version of WHM and Centos 6.

I am using a dedicated server with OVH and I am in recovery mode at the moment. I can see Centos files but nothing else. I cannot run any cpanel commands in SSH but can run other basic commands. Any help would be greatly appreciated.

- - - Updated - - -

Yes, it's possible for cPHulk to prevent users from authenticating. There is setting for this in "WHM Home » Security Center » cPHulk Brute Force Protection":

"Maximum Failures By Account"

You can wait for the lockout time period to end, or consult with your data center/hosting provider to have them disable cPHulk with console access via the following commands:

for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable

Thank you.

I am on the phone with them again. The first go around with them wasn't very productive. They don't seem to want to do this.

I have fixed the problem so now I am going to post what I did to help others. I worked on it for nearly 10 hours.

I use OVH for my server and although they have good products, they provide zero (0) support for it.

Here is some documentation that helped me (If you use OVH):

http://help.ovh.ie/RescueMode

(You must follow this word for word and dont skip a step)

When you are done your command will look like this:

[email protected] [/]#

When it does, run this (Taken from Michaels post above):

/usr/local/cpanel/bin/cphulk_pam_ctl --disable

Change your password:

passwd

Put your "Netboot" back to "Hard Drive" then restart.

This was all from me setting cpHulk to be too aggressive and clearing my browser cache. I hope that this will help someone else in the future.

 

[manie20]

I wish to comment on this issue.
I have the same with my DNSOnly cluster.

Is there a way to know when the account lock will be released again?
(I assume cPhulk blocked out my root account as well. )

Sadly my hosting provider does not offer a rescure image for my VPS, so I need to figure out howto get back on.
( Currently I can only login as a normal user. but switching to root is impossible.)

Thanks for any insights.

Regards,
Armand

 

[cPanelMichael]

Is there a way to know when the account lock will be released again?

You can ask your VPS provider to enter your VPS from the hardware node and run the following commands to disable cPHulk:

for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable

Thank you.