Richard Seese

Registered
Nov 10, 2014
1
0
1
Searcy, Arkansas, United States
cPanel Access Level
Root Administrator
A lot happened all at once, so I will simply state what happened in the hopes that someone might be able to explain what happened:

1. I attempted to log into my server using Putty and my Password didn't work.
2. After that, WHM didn't work with root and my password (access denied)
3. Then all of a sudden all FTP Accounts and E-Mail accounts, the passwords were denied
4. 45 minutes or so later my password finally worked, and E-Mail and FTP accounts worked.

I did discover through logs that brute force detection kicked on with someone trying to log into my server. They made thousands upon thousands of attempts to try to log into root.

Is it possible that my own server (CentOS) locked me out, and that WHM also participated in this locking out because someone was trying to brute force my server?

Some versions for you: CENTOS 6.6 x86_64 kvm – WHM 11.44.1 (build 19)
 

triantech

Well-Known Member
Jul 1, 2014
143
1
18
Kochi, India, India
cPanel Access Level
Root Administrator
Hey Richard,

Yes, for the security of your server, cPanel's cPHulkd ( brute-force detection s/w ) locks out the account to which
numerous login attempts have been made. It can be the same with root account too. When multiple login failures occurs,
cphulkd locks out the root account, which would mean neither WHM root login nor SSH would work.

I would suggest you the following :

- Install csf/lfd and configure the firewall to block the offending IPs ( unlike cPHulkd blocking the account ) trying to brute force your server
- Change the SSH port to a custom one

I have found the above very useful in addition to disabling direct root login.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Hello :)

If the lockout happens, you may need to obtain console access and disable cPhulk with commands such as:

Code:
for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
/usr/local/cpanel/bin/cphulk_pam_ctl --disable
Or, you could add the IP address (or range if it's dynamic) you are connecting from to the cPHulk white list. Note that some users disable cPHulk and utilize a third-party application (e.g. CSF/LFD) to handle brute force attacks. This may be an option for you to consider.

Thank you.