[CPANEL-27445] Excessive cPHulk notifications for blacklisted IPs and Countries

tommyxv

• May 29, 2019 23:23

Updated to v80.0.10 tonight. After the updated, I started getting brute force attempts from countries that I already had blacklisted. I did not change any of my cPHulk BFP setting. Any ideas?

• 

  tommyxv

  • May 30, 2019 04:32

  The failed logins are not even showing in History Reports either. Only when I filter to one day blocks they show.

  0
• 

  Smartypants

  • May 30, 2019 12:22

  Early this morning, I made the apparent mistake of updating all of the CPanel servers I manage to 80.0.10... and immediately after the update installed, ALL FOUR servers started bombarding me with "Excessive Number of Failed Login Attempts." And by "bombarding," I mean on the order of 30,000+ EMail messages in less than 8 hours... and there possibly would have been more, but it actually managed to push my EMail account over quota, so who knows how many were rejected (along with whatever legitimate EMails this caused me to miss). Aside from the serious disruption this glitch is causing, almost every other aspect of the notifications themselves are ALSO completely broken. First of all, I can find no actual indication of the brute force attempts it's supposedly alerting me to - I've randomly searched for a few dozen of the IPs that the supposed brute force attempts came from, and not a SINGLE one of them is listed in the "History Reports" section under "cPHulk Brute Force Protection". And it's also sending me notifications for supposed failed login attempts from individual IPs that are already blacklisted, from /24 ranges that are already blacklisted, AND from Countries that are already blacklisted. Unless it's COMPLETELY broken, the only explanation seems to be that it's re-sending notifications for EVERY SINGLE brute-force attempt that those servers ever received? Given that some of those servers have been in operation since 2014, that's gonna be quite a few. And suffice it to say, this does NOT inspire confidence in your QA process (if there even is one): when you're pushing out software as RELEASE/STABLE when it contains such serious, easily detectable flaws, then someone clearly didn't do their job properly. This needs to be corrected ASAP. When can we expect that you will be releasing a fix for this issue?

  0
• 

  cPanelMichael

  • May 30, 2019 19:22

  Hello @Smartypants, Internal case CPANEL-27445 will address an issue where a change in version 80 lead to the initiation of cPHulk notifications for every login attempt from blacklisted IP addresses or blacklisted countries. I'll update this thread with more information as soon as the case is published. In the meantime, you can browse to WHM >> Contact Manager to temporarily disable cPHulk notifications until the case is published. Thank you.

  0
• 

  tommyxv

  • May 30, 2019 19:28

  Thanks, will keep an eye on this thread too. Same here for me with 80.0.10. I posted here about it earlier.

  0
• 

  cPanelMichael

  • May 30, 2019 23:59

  Hello, cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix: Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks. I'll update this thread again once version 80.0.12 enters the RELEASE tier. Let us know if you have any questions. Thank you.

  0
• 

  tommyxv

  • May 31, 2019 00:44

  Hi @cPanelMichael Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs, or are you just disabling the notifications but they can still bot attempt logins after max # was reached and IP is blocked? That seemed to be an issue in addition to the notifications.

  0
• 

  cPanelMichael

  • May 31, 2019 15:34

  Hello @tommyxv, [QUOTE]Are the cPHulk config setting working, (ex: # of logins and length of blocks), and will show failed logins in the history logs
  The change in CPANEL-27445 relates exclusively to notifications. Notifications are no longer sent every time a login attempt fails because the user's IP address is blacklisted, or the user's IP address is part of a blacklisted country's IP space. There's no change to how failed logins are blocked or reported under WHM >> cPHulk Brute Force Protection >> History Reports. Let me know if you notice any additional issues. Thanks!

  0
• 

  Shahbaz Ahmed

  • May 31, 2019 19:23

  My Server is continuous under attack. Black list IPs, Black list countries nothing works. Server load reaches to 100+ every 5 minutes. The current version of cpanel is 80.0.11 . What should I do now ?

  0
• 

  Shahbaz Ahmed

  • June 01, 2019 19:55

  Ok, I have manually updated to 80.0.12 and it fixed the issue.

  0
• 

  cPanelMichael

  • June 03, 2019 17:21

  cPanel & WHM version 80.0.12 is now published to the CURRENT and EDGE release tiers with the following fix: Fixed case CPANEL-27445: Don't send cPHulkd notifications for blacklisted IP/country blocks. I'll update this thread again once version 80.0.12 enters the RELEASE tier.

  
  Hello Everyone, cPanel & WHM version 80.0.12 is now published to the RELEASE build tier. Thank you.

  0

Please sign in to leave a comment.