The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unusual experience with WHM

Discussion in 'General Discussion' started by Richard Seese, Nov 10, 2014.

  1. Richard Seese

    Richard Seese Registered

    Joined:
    Nov 10, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Searcy, Arkansas, United States
    cPanel Access Level:
    Root Administrator
    A lot happened all at once, so I will simply state what happened in the hopes that someone might be able to explain what happened:

    1. I attempted to log into my server using Putty and my Password didn't work.
    2. After that, WHM didn't work with root and my password (access denied)
    3. Then all of a sudden all FTP Accounts and E-Mail accounts, the passwords were denied
    4. 45 minutes or so later my password finally worked, and E-Mail and FTP accounts worked.

    I did discover through logs that brute force detection kicked on with someone trying to log into my server. They made thousands upon thousands of attempts to try to log into root.

    Is it possible that my own server (CentOS) locked me out, and that WHM also participated in this locking out because someone was trying to brute force my server?

    Some versions for you: CENTOS 6.6 x86_64 kvm – WHM 11.44.1 (build 19)
     
  2. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hey Richard,

    Yes, for the security of your server, cPanel's cPHulkd ( brute-force detection s/w ) locks out the account to which
    numerous login attempts have been made. It can be the same with root account too. When multiple login failures occurs,
    cphulkd locks out the root account, which would mean neither WHM root login nor SSH would work.

    I would suggest you the following :

    - Install csf/lfd and configure the firewall to block the offending IPs ( unlike cPHulkd blocking the account ) trying to brute force your server
    - Change the SSH port to a custom one

    I have found the above very useful in addition to disabling direct root login.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    If the lockout happens, you may need to obtain console access and disable cPhulk with commands such as:

    Code:
    for i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;done
    /usr/local/cpanel/bin/cphulk_pam_ctl --disable
    Or, you could add the IP address (or range if it's dynamic) you are connecting from to the cPHulk white list. Note that some users disable cPHulk and utilize a third-party application (e.g. CSF/LFD) to handle brute force attacks. This may be an option for you to consider.

    Thank you.
     
Loading...

Share This Page