We use cpHulkd to help prevent against brute-force attacks. But once an IP is blocked (whether for the short 5min duration or a longer 2week duration), I (as root) have to go in and clear it, if the clearing needs to be done "now" (as it usually is.) Is there a way to allow Resellers to clear a cpHulkd lockout? It appears as if pam_hulk is (vaguely) similar to pam_tally(2) in that it keeps track of failed logns and then depending on that failed count, just returns a "password incorrect" pam-result to the overall pam mechanism during login. Thank you, PH PS I do this in conjunction w/some manual additions using -m recent module in iptables on RHEL. I haven't fully evaluated the rather popular CSF 3rd-party add-on mentioned here a lot yet, but I figure CSF does something similar as well.