Skip to main content

CPANEL-43160 - cPHulk database issues leading to high cpu user for /usr/sbin/nft --json list ruleset

Comments

4 comments

  • James Row
    Response from Cpanel support ===
    I have confirmed access to your server and have reviewed the state of the firewall in regards to the cphulk rules. There appears to be an issue with cPHulk adding duplicate lines to the nftables chains in the process of adding blocks based on its configured policies. At last count there were around 24 thousand duplicate entries in the nftable for cPHulk: chain cphulk { ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop cPs# nft list chain inet filter cphulk | wc -l 24434 This is an issue we have escalated to our development team in case ID CPANEL-43160. When cPHulk detects an IP that is brute forcing and has triggered the automatic blocking procedure, a duplicate tempban reference is placed in the chain along with it. There is no workaround to prevent this behaviour yet, but I have attached the details to this ticket to the case to help them examine and resolve it as quickly as possible. For now, you should be able to use the following commands to clear the cPHulk task queue, flush the duplicate rules, and add a single rule back to ensure that the tempban rules are read: mv -v /var/cpanel/taskqueue{,.bak} nft flush chain inet filter cphulk nft add rule inet filter cphulk ip saddr @cphulk-TempBan drop /scripts/restartsrv_queueprocd --hard Clearing this queue and flushing the duplicate rules should allow the nftables management to operate faster when cPHulk detects intrusions to your server.
    0
  • cPRex Jurassic Moderator
    Thanks for sharing that case number here! I'm watching this now and I'll be sure to post any updates I hear!
    0
  • Justin Welenofsky

    cPRex I also have an AlmaLinux 8 Server running cPanel that just experienced this issue. It brought my server to a crawl and I had to run these commands linked in another thread

     

    mv -v /var/cpanel/taskqueue{,.bak}
    nft flush chain inet filter cphulk
    nft add rule inet filter cphulk ip saddr @cphulk-TempBan drop
    /scripts/restartsrv_queueprocd --hard

     

    https://applications.cpanel.net/threads/cpanel-43160-cphulk-database-issues-leading-to-high-cpu-user-for-usr-sbin-nft-json-list-ruleset.713457/

     

    I see this has been fixed and will focus on updating my install ASAP

    0
  • cPRex Jurassic Moderator

    Justin Welenofsky - I would expect this issue to be resolved in any version of cPanel 116.

    0

Please sign in to leave a comment.