In Progress Making a "known" network "unknown" for logins

Operating System & Version
CentOS 7.9 kvm
cPanel & WHM Version
92.0.9

Macs R We

Active Member
Mar 17, 2015
26
3
53
Arizona
cPanel Access Level
Root Administrator
I've received several emails from cpHulk about:
Successful Login as “(username)” from an Unknown Network...
A 'Known Network' is an IP address range or netblock that contains an IP address from which a user successfully logged in previously.
It appears that cPanel/WHM adds an address/netblock to the "known" list if someone successfully logs in.
I'd like to find where that table of "known" networks is maintained so I can delete the added addresses so I will be warned if someone logs in again from them.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Hey there! This setting is controlled in the cPanel >> Contact Information area for each individual user if you wanted to adjust that. I've attached a screenshot showing this option:

Screen Shot 2021-02-05 at 11.14.38 AM.png

There doesn't seem to be much information on where those IPs actually get stored on the server. I've reached out to our developers and I will post an update here as soon as I have more details.
 

Macs R We

Active Member
Mar 17, 2015
26
3
53
Arizona
cPanel Access Level
Root Administrator
I've seen that control, but I don't really want to get inundated with email messages every time one of my own people logs in from an address that belongs to us. I just want to be able to remove the IP addresses associated with remote logins that were approved by cPanel that I don't want to remain approved.
 
  • Like
Reactions: cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,491
1,008
313
cPanel Access Level
Root Administrator
Alrighty - I have some more detail on this :D

Here's a series of commands that will pull that info from the cPHulk database:

Code:
# sqlite3 /var/cpanel/hulkd/cphulk.sqlite
SQLite version 3.32.3 2020-06-18 14:00:33
Enter ".help" for usage hints.

sqlite> .tables
auths            ip_lists         login_track
config_track     known_netblocks

sqlite> select * from known_netblocks;
root|||2021-03-04 09:38:23
along with the confirmation it does use that table.

Let me know if that's what you were looking for!
 

Macs R We

Active Member
Mar 17, 2015
26
3
53
Arizona
cPanel Access Level
Root Administrator
For a table called known_netblocks, its contents are a discouraging letdown. When I did the select, all I got were user IDs that had logged into the server (even if only to read mail) and the date/time it happened. Zero information about the IP addresses involved. I dumped the definition of the table:

sqlite> .schema known_netblocks
CREATE TABLE `known_netblocks` (
`USER` CHAR(128) NOT NULL,
`STARTADDRESS` VARBINARY(16) NOT NULL DEFAULT '',
`ENDADDRESS` VARBINARY(16) NOT NULL DEFAULT '',
`LOGINTIME` DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',
UNIQUE (`USER`,`STARTADDRESS`,`ENDADDRESS`) ON CONFLICT REPLACE
);

Perhaps startaddress and endaddress are supposed to be IP addresses, but they're all blank. I'm not sure how the concepts of start and end factor into login IP addresses, so they may not be. Furthermore, the construct "not null default null" is highly suspect (I believe a recent update to MySQL outlawed this from occurring).

login_track looked interesting, but again the addresses were all blank, and the contents seem to be kept for only around 24 hours.

I found some interesting content in auths and did a little modification there, but no IP addresses.

This database sure does smell like the place that SHOULD contain the information I want, and has places to put it, but it's not being entered.