Skip to main content

CPHULKD not working not creating rules

mikeserv
Hello I very recently got a new server with Centos 7.9 and WHM/Cpanel V98.0.4 I can't seem to get CPHulkD working. The end result is that there are no iptables rule chain or rules being created. I do not have "firewalld" enabled. It does not seem like cPhulkd - processor or cPhulkd - dbprocessor are doing anything. The service is starting and shows as enabled in WHM but they are never using any CPU time or anything. I do not have them "dormant" I unchecked that for cphulkd (for troubleshooting purposes). That should be quite active. How can I even tell if I have a cphulkd database? It doesn't show up in the mysql interface (only site databases) [root@server logs]# ps aux | grep -i cphulk root 1869 0.0 0.0 189928 12732 ? Ss 17:16 0:00 cPhulkd - processor root 2142 0.0 0.0 154000 12392 ? S 17:16 0:00 cPhulkd - dbprocessor I have "block IP addresses at the firewall level" options enabled for both "brute force" and "one-day block" as I always had on previous servers. I am not seeing anything interesting in cphulkd_errors.log I need this to work, because I constantly get hammered with failed login attempts.

Comments

9 comments

Date Votes
  • mikeserv
    It seems to be only monitoring dovecot, but it's not adding its iptables rule chain or any entries for the failed login attempts. It's also not logging any errors, and I turned on debug. cphulkd_errors.log is getting no entries, and cphulkd.log just seems to be logging whitelisted dovecot events. It's not doing anything for sshd or anything else. So it doesn't seem that it's going for logs or PAM authentication failures. Could it have something to do with the logs? I do have rsyslogd and it's writing the usual log files to /var/log. If I tail -f /var/log/secure there are all kinds of failed sshd logins going on, pretty much constantly. Systemd-journald is using Storage=auto and is also keeping system.journal in /run/log/journal/ Something wrong with those "keys" for accessing the data for those services perhaps? I should think there would be errors of some sort.
    0
  • ankeshanand
    cPHulk Daemon is for Preventing only Bruteforce Attacks. For Managing IPtables and Firewall, You need to Install CSF Firewall.
    0
  • cPRex Jurassic Moderator
    cPHulk can definitely interface with the firewall. There are various options, such as these two that would interact with the server's firewall, mentioned by @mikeserv Block IP addresses at the firewall level if they trigger brute force protection "Whether you wish to automatically add IP addresses that trigger brute force protection to the firewall. Block IP addresses at the firewall level if they trigger a one-day block " Whether you wish to automatically add IP addresses that trigger a one-day block to the firewall. This option writes a new iptables rule and requires iptables version 1.4 or higher. This checkbox defaults to selected.
    cPHulk uses an SQLite database, so you would not see that with any MySQL commands. Details on that can be found here, as that behavior was changed in version 62:
    0
  • mikeserv
    Oh yes, I'm sure there are failed logins but they aren't triggering CPHulk. In the 6 hours I slept there are 800+ failed sshd logins for the root account alone, and right now there's a run going on from the same IP address (tail -f /var/log/secure) which should be triggering it. I'll consider a support ticket if I can't figure this out very soon, though I was just hoping for a bit of advice.
    0
  • cPRex Jurassic Moderator
    From what you said in the first post, you've already checked the common things, and even mentioned there weren't any logs being generated, so I don't have any other ideas on what the cause could be based on that.
    0
  • mikeserv
    I do very much appreciate your consideration and I did have every intention of following up with a solution if I found one. However, it doesn't seem that I'm going to solve this by hunting and poking, I can see nothing wrong. So I submitted a support ticket as suggested. Ticket ID #94354410
    0
  • mikeserv
    So the problem turned out to be missing PAM configuration for the pam_hulk.so module, "required pam_hulk.so" in /etc/pam.d/password-auth and system-auth Had I known about it, a command to fix it would have been: "/usr/local/cpanel/bin/cphulk_pam_ctl --enable" Thanks, folks.
    0
  • cPRex Jurassic Moderator
    I'm glad our team was able to help out with that issue!
    0
  • mikeserv
    • Edited

    I am necro-bumping my own thread here because this is still relevant (and something else that might help a confused soul wasting their time)

     

    Firstly, fast forward 3 years later I ran into the same problem on a new server (suspect provisioning scripts when installing the image on the server at this datacenter may disable this, but that's just an educated guess). The pam module configuration was missing. I knew to look for that right away this time. The lines in the /etc/pam.d/password-auth and system-auth were not present, so..

     "/usr/local/cpanel/bin/cphulk_pam_ctl --enable"

    However, CPHulkD was STILL not adding iptables rules. What the Hell... then it occurred to me that it would be using nftables now :-)

    # nft list table inet filter
    table inet filter {
        set cphulk-TempBan {
            type ipv4_addr
            timeout 59m59s
            elements = { 14.40.58.161 expires 44m30s870ms, 14.103.41.240 expires 2m30s167ms,
                     61.177.172.136 expires 19h31m55s187ms, 61.177.172.140 expires 15h41m18s700ms,
                     61.177.172.160 expires 11h59m49s909ms, 61.177.172.179 expires 12h53m28s577ms,
                     138.197.1.130 expires 7h14m6s308ms, 180.101.88.196 expires 11h12m54s787ms,
                     180.101.88.197 expires 15h55m50s898ms, 218.92.0.16 expires 17h48m9s626ms,
                     218.92.0.24 expires 14h12m27s747ms, 218.92.0.27 expires 14h25m43s130ms,
                     218.92.0.29 expires 12h54m23s602ms, 218.92.0.31 expires 11h36m19s96ms,
                     218.92.0.34 expires 13h26m9s558ms, 218.92.0.56 expires 11h24m58s216ms,
                     218.92.0.76 expires 12h9m49s436ms, 218.92.0.107 expires 15h26m36s924ms,
                     218.92.0.112 expires 13h12m51s969ms, 218.92.0.118 expires 13h52m10s525ms }
        }

     

    P.S. Sorry about formatting, I can't figure out how to post "code snippets" here (without destroying indentation etc.)

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post