Locked out of WHM and SSH password root login

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
This morning I had a few server today where I was locked out of WHM and SSH password root login. Luckily I had an SSH key, I tried resetting the password, no luck, non-root users could SSH in OK.

I ran upcp and then was able to log in.

Did anyone else have this problem?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Hello :)

I suggest checking the brute force history via:

"WHM >> Security Center >> cPHulk Brute Force Protection"

It's possible the "root" user was locked out by cPhulk, thus you were unable to login. You can also search for your IP address in:

# /usr/local/cpanel/logs/cphulkd.log

Thank you.
 

texo

Well-Known Member
Mar 28, 2007
147
2
168
cPanel Access Level
Root Administrator
No, this happened to me today as well. Not using cphulk.
Luckily I too had SSH key access (from another server which backs up to the server I was locked out of).
I changed root password via SSH from the second server, but that didn't make any difference.

I then thought to check sshd config file and saw that allow root login was commented out (disallowing root access via SSH).

Don't know how this happened, I am the only person with access to this server.
 

tmyrdal

Registered
Feb 4, 2013
4
0
1
cPanel Access Level
Root Administrator
Me also is experiance this Im totaly locked out now, I can log in to my server with SSH but when I write passwd and then write in my new password. Its seams to work as I dont get anny error message. But I cant still not log in to root WHM in webbrowser.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Me also is experiance this Im totaly locked out now, I can log in to my server with SSH but when I write passwd and then write in my new password. Its seams to work as I dont get anny error message. But I cant still not log in to root WHM in webbrowser.
Could you let us know if you checked to see if cPHulkd was the culprit?

Thank you.
 

tomxml

Registered
Apr 6, 2013
3
0
1
cPanel Access Level
DataCenter Provider
I am having the same problem. I am unable to log in with root to WHM nor to SSH. I am able to log in with other users though from the same IP.
On some servers I had a reseller account with all permissions, so I was able to white list my IP after loggin in.
Then I was able to log in as root again.

It does not seem like a normal brute force, because usually it blocks an IP, not a user.
Can it be that a user (root) has been blocked?
What can I do if the root user is blocked and I cannot access WHM nor SSH?
Is there any way to solve this issue?

Thanks
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Yes, it's possible for cPHulk to prevent users from authenticating. There is setting for this in "WHM Home » Security Center » cPHulk Brute Force Protection":

"Maximum Failures By Account"

You can wait for the lockout time period to end, or consult with your data center/hosting provider to have them disable cPHulk with console access via the following commands:
Code:
for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Thank you.
 

mjdj1999

Member
Jan 17, 2009
8
0
51
Fannett, Texas, United States
I am having an issue. I am locked out of my WHM and cannot access it by SSH. I have been getting several emails stating failed login attempts (10-15 a day) from China mostly. I'm not sure if I have been hacked or not. I dont know if it was cPHulk or not. I have recently disabled CSF (2 days ago) and have been in WHM several times since. What are my options? I have many clients hosting on this system and I dont have any backups because I was recently moving to another backup option from my datacenter.

Please help. Only God knows what is happening to my system at this moment.

Thank you in advance.
DJ
I am using the latest version of WHM and Centos 6.

I am using a dedicated server with OVH and I am in recovery mode at the moment. I can see Centos files but nothing else. I cannot run any cpanel commands in SSH but can run other basic commands. Any help would be greatly appreciated.

- - - Updated - - -

Yes, it's possible for cPHulk to prevent users from authenticating. There is setting for this in "WHM Home » Security Center » cPHulk Brute Force Protection":

"Maximum Failures By Account"

You can wait for the lockout time period to end, or consult with your data center/hosting provider to have them disable cPHulk with console access via the following commands:
Code:
for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Thank you.
I am on the phone with them again. The first go around with them wasn't very productive. They don't seem to want to do this.

I have fixed the problem so now I am going to post what I did to help others. I worked on it for nearly 10 hours.

I use OVH for my server and although they have good products, they provide zero (0) support for it.

Here is some documentation that helped me (If you use OVH):
(You must follow this word for word and dont skip a step)

When you are done your command will look like this:
When it does, run this (Taken from Michaels post above):
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Change your password:
Put your "Netboot" back to "Hard Drive" then restart.

This was all from me setting cpHulk to be too aggressive and clearing my browser cache. I hope that this will help someone else in the future.
 
Last edited:

manie20

Registered
Oct 8, 2014
1
0
1
cPanel Access Level
Root Administrator
I wish to comment on this issue.
I have the same with my DNSOnly cluster.

Is there a way to know when the account lock will be released again?
(I assume cPhulk blocked out my root account as well. )

Sadly my hosting provider does not offer a rescure image for my VPS, so I need to figure out howto get back on.
( Currently I can only login as a normal user. but switching to root is impossible.)

Thanks for any insights.

Regards,
Armand
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,215
363
Is there a way to know when the account lock will be released again?
You can ask your VPS provider to enter your VPS from the hardware node and run the following commands to disable cPHulk:

Code:
for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Thank you.