CPANEL-43160 - cPHulk database issues leading to high cpu user for /usr/sbin/nft --json list ruleset
Almalinux 8.8.0 standard kvm
Cpanel 112.0.7
I see high cpu user for: /usr/sbin/nft --json list ruleset
cPHulk has lots of records for One-day Blocks
Narrowed it down to cPHulk database issues, hope someone can explain.
[root@buy ~]# /usr/local/cpanel/3rdparty/bin/sqlite3 /var/cpanel/hulkd/cphulk.sqlite
SQLite version 3.38.5 2022-05-06 15:25:27
Enter ".help" for usage hints.
sqlite> select count(*) from ip_lists;
391987
sqlite> .quit
If you want to see how senseless those records are see this:
[root@buy ~]# /usr/local/cpanel/3rdparty/bin/sqlite3 /var/cpanel/hulkd/cphulk.sqlite
SQLite version 3.38.5 2022-05-06 15:25:27
Enter ".help" for usage hints.
sqlite> select * from ip_lists limit 50;
||4|AD
||4|AD
||4|AD
||4|AD
||4|AD
etc
|
-
Response from Cpanel support === I have confirmed access to your server and have reviewed the state of the firewall in regards to the cphulk rules. There appears to be an issue with cPHulk adding duplicate lines to the nftables chains in the process of adding blocks based on its configured policies. At last count there were around 24 thousand duplicate entries in the nftable for cPHulk: chain cphulk { ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop ip saddr @cphulk-TempBan drop cPs# nft list chain inet filter cphulk | wc -l 24434 This is an issue we have escalated to our development team in case ID CPANEL-43160. When cPHulk detects an IP that is brute forcing and has triggered the automatic blocking procedure, a duplicate tempban reference is placed in the chain along with it. There is no workaround to prevent this behaviour yet, but I have attached the details to this ticket to the case to help them examine and resolve it as quickly as possible. For now, you should be able to use the following commands to clear the cPHulk task queue, flush the duplicate rules, and add a single rule back to ensure that the tempban rules are read: mv -v /var/cpanel/taskqueue{,.bak} nft flush chain inet filter cphulk nft add rule inet filter cphulk ip saddr @cphulk-TempBan drop /scripts/restartsrv_queueprocd --hard Clearing this queue and flushing the duplicate rules should allow the nftables management to operate faster when cPHulk detects intrusions to your server. 0 -
Thanks for sharing that case number here! I'm watching this now and I'll be sure to post any updates I hear! 0 -
cPRex I also have an AlmaLinux 8 Server running cPanel that just experienced this issue. It brought my server to a crawl and I had to run these commands linked in another thread
mv -v /var/cpanel/taskqueue{,.bak}
nft flush chain inet filter cphulk
nft add rule inet filter cphulk ip saddr @cphulk-TempBan drop
/scripts/restartsrv_queueprocd --hardI see this has been fixed and will focus on updating my install ASAP
0 -
Justin Welenofsky - I would expect this issue to be resolved in any version of cPanel 116.
0
Please sign in to leave a comment.
Comments
4 comments