The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unknown cPHulk Limitation

Discussion in 'Security' started by ArdeshirB, Mar 5, 2016.

  1. ArdeshirB

    ArdeshirB Registered

    Joined:
    Mar 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello Everyone,

    We are hosting provider company (so we have root access to the ssh & WHM interface).
    Our cPanel versions are 54, and the issue I'm going to talk about has been happenning until when we have updated our cPanel servers to the 54 release version a few weeks ago. (The PHP versions are 5.4 to 5.6 and the apache version is 2.4)

    There are times when the IP of our customers is being blocked in the cPHulk database and this occurs in this way that at first they suffer from slow connections and web browsing speed on the said servers, after passing sometimes (or having some additional failed attempts for loginning into their services), their IP get blocked.
    The weird/senseless phenomenon is that when we try to know what was the cause and checking the logs, we just release that their IP address didn't get blocked in server's firewall (CSF) or cPHulk's WHM black list. We initially enter the following command in SSH to check whether the IP is being blocked in servers firewall or not:
    # csf -g "IP address"

    The result is as the following:
    Code:
    Chain   num   pkts bytes target  prot opt in  out     source  destination
    No matches found for "IP address" in iptables
    
    ip6tables:
    Chain    num   pkts bytes target  prot opt in out     source   destination
    No matches found for "IP address" in ip6tables
    that shows the IP Address hasn't been blocked in the server's firewall.
    Then we go to the cPHulk at WHM by referring to Home » Security Center » cPHulk Brute Force Protection and clicking on the "History Reports"; No entries would be found there for the searched IP.
    At the end we go to the database tables by referring to the Home » SQL Services] » phpMyAdmin.
    Then finding the "cphulkd" database and going to the "login_track" or "known_netblocks" or "ip_lists" table. There it is the IPs blocked by cPHulk and the reason they have been blocked. As you know the IPs are written in IPv6 form, so I convert the blocked IPv4 of our customers to the IPv6, then find the log(reason) the considered IP has been blocked. After ensuring that the IP is blocked and listed in the database, we enter the following command to remove it from the list and indeed activating the IP:
    # /scripts/hulk-unban-ip "IP address"

    here it is the output:
    Code:
    The system unblocked the IP address “IP address” successfully.
    When the IP is activated, the customer can access again to his/her website with high speed.
    The question is why is it happening? (having slow browsing speed and then getting blocked without any recorded logs in the WHM's cPHulk)
    Are there any solutions to access the logs instantly and having the IP removed from the list?

    Regards,
    Ardeshir Behbood.
     
    #1 ArdeshirB, Mar 5, 2016
    Last edited by a moderator: Mar 5, 2016
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    There is a chance that a range of IPs too blocked . You may run the following command
    Code:
    # iptables -L -b | grep  xyz.      
    
    where xyz is the first quad of the ip address.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    ArdeshirB likes this.
  4. ArdeshirB

    ArdeshirB Registered

    Joined:
    Mar 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Dear Syslint thanks for answering; but this is not the case.
    Also thank you Micheal. I've read the entire documentation.
    This issue happened again just now. One of our resellers declared that his IP address has been blocked. I checked the IP address and the username in /usr/local/cpanel/logs/cphulkd.log but there were no entries; then again I referred to PHPMyAdmin > the login_track table and I found 3 results for that IP ( he had unsuccessful login attempts with three different username); although he denied that he has done the said action.
    In the past there were no decelerating in the speeds when brute force attacks & ... happened, but now clients at first have their access speed reduced. Are you informed of that (have you applied that on purpose in the new version)?

    Warm Regards.
    A.B.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    cPhulk will not shape the speed of the user accessing a service. It seems like there might be an external firewall that's causing that issue. Have you consulted with your data center to verify if that's the case?

    Thank you.
     
  6. ArdeshirB

    ArdeshirB Registered

    Joined:
    Mar 5, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I talked to them, there wasn't any ,but hopefully the issue has been solved automatically.

    Have a nice weekend,
    A.B.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page