[CPANEL-27445] cPHulk Countries blacklist not working?
Hi,
I have cPHulk Brute Force Protection On and an extensive list of blacklisted countries.
When I wake up this morning I have over 6000 "? Excessive Number of Failed Login Attempts from 103.231.xxx.xxx (Iran, Islamic Republic of:IR)" warnings - not only from Iran, but also from several other countries included in the blacklist - most (if not all) from countries included on my blacklist for months.
Also over 27000 one-day-blocks have been created by CPanel for the suspicious IPs.
Is there a known issue with cPHulk?
Thanks.
Alexandre
-
It seems IP range blocking is still working - but this us going back to "old" CPanel before country management :( 0 -
Hi @apaulo There is not a known issue with country management. If you go to WHM>>Security Center>>cPHulk Brute Force Detection -> Countries Management -> Filter: Blacklisted are the ranges you previously selected still blacklisted including Iran? Also, is anything listed in the cPHulkd error logs? You can find them here: /usr/local/cpanel/logs/cphulkd_errors.log /usr/local/cpanel/logs/cphulkd.log
0 -
Hi @apaulo There is not a known issue with country management. If you go to WHM>>Security Center>>cPHulk Brute Force Detection -> Countries Management -> Filter: Blacklisted are the ranges you previously selected still blacklisted including Iran?
Yes, all countries are blacklisted - as I explained, the warnings were not only from Iran, but also from several other countries included in the blacklist - most (if not all) from countries included on my blacklist for months. Iran as just an example - it was the most active (about 26000 hits in 8 hours).Hi @apaulo Also, is anything listed in the cPHulkd error logs? You can find them here:
/usr/local/cpanel/logs/cphulkd_errors.log /usr/local/cpanel/logs/cphulkd.log
On cphulkd_errors.log, this one is quite recurring:[2019-05-14 11:20:44 +0100] die [cPhulkd] Timeout while waiting for response at /usr/local/cpanel/Cpanel/Hulkd.pm line 487. Cpanel::Hulkd::die(Cpanel::Hulkd=HASH(0x1382908), "Timeout while waiting for response") called at /usr/local/cpanel/Cpanel/Hulkd.pm line 417 Cpanel::Hulkd::__ANON__(__CPANEL_HIDDEN__) called at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 289 eval {...} called at /usr/local/cpanel/Cpanel/Hulkd/Processor.pm line 289 Cpanel::Hulkd::Processor::run(Cpanel::Hulkd::Processor=HASH(0x1ca34c8), undef) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 423 Cpanel::Hulkd::__ANON__() called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 97 eval {...} called at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Try/Tiny.pm line 88 Try::Tiny::try(CODE(0x1761ce8), Try::Tiny::Catch=REF(0x176dfa8)) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 427 Cpanel::Hulkd::handle_one_connection(Cpanel::Hulkd=HASH(0x1382908), Cpanel::Socket::INET=GLOB(0x176dd50), undef) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 594 Cpanel::Hulkd::_handle_accepted_socket_and_reset_idleloops(Cpanel::Hulkd=HASH(0x1382908), Cpanel::Socket::INET=GLOB(0x176dd50)) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 341 Cpanel::Hulkd::main_loop(Cpanel::Hulkd=HASH(0x1382908), Cpanel::Socket::UNIX=GLOB(0x13c0450), Cpanel::Socket::INET=GLOB(0x13c06a8)) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 244 Cpanel::Hulkd::processor_run(Cpanel::Hulkd=HASH(0x1382908)) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 159 Cpanel::Hulkd::__ANON__(__CPANEL_HIDDEN__) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 170 Cpanel::Hulkd::launcher(Cpanel::Hulkd=HASH(0x1382908), 0) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 139 Cpanel::Hulkd::start_daemon(Cpanel::Hulkd=HASH(0x1382908), 0) called at /usr/local/cpanel/Cpanel/Hulkd.pm line 93 Cpanel::Hulkd::run_daemon(Cpanel::Hulkd=HASH(0x1382908)) called at libexec/cphulkd.pl line 32 [2019-05-14 11:20:44 +0100] info [cPhulkd] The system encountered an error while processing a request: exit level [die] [pid=15597] (Timeout while waiting for response)
On cphulkd.log I just get loads and loads of entries like:[2019-05-14 14:54:32 +0100] info [cPhulkd] Login Blocked: The IP address is blacklisted. [Service]=[dovecot] [Local IP Address]=[94.126.171.194] [Remote IP Address]=[103.231.139.176] [Authentication Database]=[mail] [Username]=[someusr@example.net]
That at some point, it seems it gets back to normal, because the above messages stop and start getting[2019-05-16 16:21:44 +0100] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[94.126.171.213] [Local Port]=[143] [Remote IP Address]=[220.233.42.61] [Remote Port]=[49532] [Authentication Database]=[mail] [Username]=[someusr@example.com]
So, I am guessing that this was some automatic update that messed up things, and got back to normal the following day, thanks to a new automatic update... According to logs, it seems it is back to normal...0 -
Meh... it is not solved... just enabled the "Send a notification when the system detects a brute force user", again and started being bombarded with emails "? Excessive Number of Failed Login Attempts from 78.9.51.10 (Poland:PL)" Poland is blacklisted - double checked. For this specific message, on "cphulkd.log": [2019-05-16 17:48:42 +0100] info [cPhulkd] Login Blocked: IP reached maximum auth failures for a one day block [Service]=[dovecot] [Local IP Address]=[94.126.171.213] [Local Port]=[143] [Remote IP Address]=[78.9.51.10] [Remote Port]=[53582] [Authentication Database]=[mail] [Username]=[justin_fields] (1/6 failures) (blocked until [Fri May 17 16:48:42 2019 UTC/Fri May 17 17:48:42 2019 LOCAL]) [2019-05-16 17:48:42 +0100] info [cPhulkd] Login Blocked: The country is blacklisted. [Service]=[dovecot] [Local IP Address]=[94.126.171.213] [Local Port]=[143] [Remote IP Address]=[78.9.51.10] [Remote Port]=[53582] [Authentication Database]=[mail] [Username]=[justin_fields]
That same IP is now also on the "One day block"... twice! On my view, the login it should be only "Login Blocked: The country is blacklisted"... period. So cPHulk is not ignoring the country blacklist... but it is not checking it BEFORE allowing the user to try to login.0 -
Iran as just an example - it was the most active (about 26000 hits in 8 hours).
I understood that, I was using it as an example of what to look for as well :)According to logs, it seems it is back to normal...
That's good news, if it does start to occur again and you see those same errors in the cphulk error log I'd suggest opening a ticket which you can do using the link in my signature.0 -
So cPHulk is not ignoring the country blacklist... but it is not checking it BEFORE allowing the user to try to login.
It's behavior I don't believe is to check prior but the login will always fail due to the country being blocked.0 -
It's behavior I don't believe is to check prior but the login will always fail due to the country being blocked.
Ok, but ...so why send me a message? ...so why send the IP to one-day blocks? The country is blocked - period. No need for one-day blocks. No need to populate the firewall with tens of thousands IPs... that is the point of country management. I changed nothing on CPanel configurations... it just started out of the blue. Now I cannot have notifications - and I need them (I did not block all countries). I must be able to be notified if someone is trying on a not-blackelisted country and take action.0 -
Yea, I see the issue with the behavior you're experiencing. Can you please open a ticket using the link in my signature? I'd like to see if there's more to the issue and possibly if an update caused it to behave differently. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved. Thanks! 0 -
I'm not entirely sure Country Code blocking is working correctly either. I have China Blacklisted, yet I can see an IP entry, clearly identified as CN, with an expiry date of the 23rd of May. Yet the same IP tried again two days later on the 10th. 1. How could CN even be given the opportunity to login to Dovecot when CN is blacklisted. 2. Why was it allowed a second opportinuty two days later when it should still be under a CPHULK block ? image attached. 0 -
I've been talking to some folks about this and doing some research, it looks like the GeoIP database isn't 100% correct. For example I took the IP listed in @apaulo's initial response and ran it through the geo-ip database here: The output was as follows: IP 220.233.42.61 Numeric 3,706,268,221 Start 220.233.0.0 End 220.233.127.255 Hosts 32,768 CIDR 220.233.0.0/17 Reg apnic Alloc Feb 08, 2004 CC AU Host Click Country Australia Details Not Available
This is being reported by GeoIP as an Australian IP address Then another one of the examples:IP 78.9.51.10 Numeric 1,309,225,738 Start 78.8.0.0 End 78.11.255.255 Hosts 262,144 CIDR 78.8.0.0/14 Reg ripencc Alloc Feb 25, 2007 CC PL Host No Hostname Country Poland Details Not Available Flag Poland Start 78.8.0.0 - 78.11.255.255 [Hosts 262,144]
GeoIP shows this as a polish IP @keat63 can you run your IP example through the GeoIP database and let me know if it's coming up as a blocked country? You may also want to have a look at the thread here as well:0 -
@apaulo I'm seeing the exact same issue you are. I have a very extensive IP blacklist on countries, but suddenly last week sometime I started getting bombarded. Just found this post because I'm having the exact issues, suddenly. I actually attempted to block all countries except 3 (US/GB/Canada) and still attempts are flowing in. 0 -
I can confirm that the country code database isn't 100% accurate, as I have a feature request open for a more accurate database. As for my example, its coming back as China IP 58.216.13.23 Numeric 987,237,655 Start 58.208.0.0 End 58.223.255.255 Hosts 1,048,576 CIDR 58.208.0.0/12 Reg apnic Alloc Jun 23, 2005 CC CN Host No Hostname Country China
0 -
Hi @keat63 So far I haven't been able to reproduce this on a system where the GeoIP database is reporting a blocked country - since you can would you be able to open a ticket? Thanks! 0 -
12357325 - CPHULK not blocking countries as expected 0 -
Thanks, @keat63 I've noted that ticket and I'm watching it, I'll update here with more information as it becomes available. 0 -
Apologies on my part, i wasn't paying attention. I recall that I had country code blocking disabled for a few weeks during March/April to try and figure out a user email login problem. These Chinese logins could well have been during this period. I got a reply back from Cpanel support if it helps. "If an IP address is blocked by cPhulk, that IP can still attempt to login to the server. In this case, even if they type a correct password, it will fail. This is why you are seeing the IP addresses showing in the logs, even though they are blocked by cPhulk." I have only 3 country codes whitelisted in CPHULK. I don't see any attempted connections outside of these 3 countries since April 10th, so maybe it is working for me. 0 -
Hi @keat63 None the less, I'm glad it's sorted now! Thanks for updating here. 0 -
On my side, all countries in cPHulk Brute Force Protection are blacklisted except Canada and USA but since few weeks, I started to receive ton of email notifications about Excessive Number of Failed Login Attempts from many countries (China, Brazil, France, Spain, etc). I received 14000 email notifications since may 21. What's wrong? 0 -
We have a case open for this specific behavior @daflame - CPANEL-27445 - In 80 cPHulkd sends notifications for blocked logins from blacklisted IPs/Countries. This doesn't mean they are no longer blacklisted just that the notifications are being sent now. This is an improvement case and I'll update here when/if any changes are made. 0 -
Looks like I am having the same issue. I upgraded from v78.x to v80.0.10 last night and it just seems cPHulk is not working at all now. I have not touched any of my cPHulk settings. I also have all countries blacklisted except US. Getting hundreds of login failure notifications and the cPHulk History for one day blocks looks like this. 59051 0 -
I just did a little test. I blocked my mobile phone IP in cPHulk and tried to login to WHM. Its giving me credentials invalid failure. I have it set to 3 max attempts. I just kept hitting login about 20 times and just got the same. I check cPHulk on my PC and there are no Failed Log Logins in the history, but 20 1 day blocks in the log and of course I got multiple "Excessive Number of Failed Login Attempts" emails for it. cPHulk is not working like it used to before the upgrade. Hope you guys fix it soon. 0 -
I also have this issue since upgrading to v80.0.9 a few days ago, and still following two more updates (now running v80.0.11) ... 0 -
I have 3 VPS with cPanel. Two of them started allowing login attempts to IPs from blacklist countries. This started to happen after the update from v78.x to v80.x. The third VPS failed to upgrade to v80.x. It all happening exactly as @tommyxv and @Gadge reported, with lots of notification emails bothering my routine. I also hope that the cPanel team can identify what happens, because the symptoms indicate the update of cPanel as the source of the problem. 0 -
I have the same problem at 2 server whith cpanel that i have....Thousand of mails!!!since i update to 80 version....Do you have any solution???...do i have to open a ticket??? 0 -
I updated to 80.0.12. Login attempt notifications from the blacklisted countries have stop BUT NOW, I don't get notifications for attempts from non-blacklisted countries or IPs. Just as I suspected, this was a band aid fix and now all notifications are disabled. :rolleyes: Come on guys. 78.0.x worked just fine. Figured out what was changed and please fix it. 0 -
When I unlocked all countries, the lock report ran again, but the blacklist IPs continue with logged attempts, when they should not even be accepted. All notification emails indicate that there was only ONE authentication failure. Is it just the problem of unduly triggering notification for locks that occur before the actual connection attempt? 0 -
Dear CPanel team, Our VPS also experience same issue after doing update. Waiting for next proper update. 0 -
After much study, I am convinced - until proven otherwise - that the problem is in triggering notification even though there was a previous block before a first login attempt. Either this login attempt was allowed and only then was a lock, which was supposed to take place before processing the user / password data. That, for me it is a notification problem and not a security problem. 0 -
Hello, This should be fixed in v80.0.12 per our Changelogs which can be found here: 80 Change Log - Change Logs - cPanel Documentation - Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks.
0
Please sign in to leave a comment.
Comments
38 comments