Unknown cPHulk Limitation
Hello Everyone,
We are hosting provider company (so we have root access to the ssh & WHM interface).
Our cPanel versions are 54, and the issue I'm going to talk about has been happenning until when we have updated our cPanel servers to the 54 release version a few weeks ago. (The PHP versions are 5.4 to 5.6 and the apache version is 2.4)
There are times when the IP of our customers is being blocked in the cPHulk database and this occurs in this way that at first they suffer from slow connections and web browsing speed on the said servers, after passing sometimes (or having some additional failed attempts for loginning into their services), their IP get blocked.
The weird/senseless phenomenon is that when we try to know what was the cause and checking the logs, we just release that their IP address didn't get blocked in server's firewall (CSF) or cPHulk's WHM black list. We initially enter the following command in SSH to check whether the IP is being blocked in servers firewall or not:
# csf -g "IP address"
The result is as the following:
that shows the IP Address hasn't been blocked in the server's firewall. Then we go to the cPHulk at WHM by referring to Home " Security Center " cPHulk Brute Force Protection and clicking on the "History Reports"; No entries would be found there for the searched IP. At the end we go to the database tables by referring to the Home " SQL Services] " phpMyAdmin. Then finding the "cphulkd" database and going to the "login_track" or "known_netblocks" or "ip_lists" table. There it is the IPs blocked by cPHulk and the reason they have been blocked. As you know the IPs are written in IPv6 form, so I convert the blocked IPv4 of our customers to the IPv6, then find the log(reason) the considered IP has been blocked. After ensuring that the IP is blocked and listed in the database, we enter the following command to remove it from the list and indeed activating the IP: # /scripts/hulk-unban-ip "IP address" here it is the output:
When the IP is activated, the customer can access again to his/her website with high speed. The question is why is it happening? (having slow browsing speed and then getting blocked without any recorded logs in the WHM's cPHulk) Are there any solutions to access the logs instantly and having the IP removed from the list? Regards, Ardeshir Behbood.
Chain num pkts bytes target prot opt in out source destination
No matches found for "IP address" in iptables
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for "IP address" in ip6tablesthat shows the IP Address hasn't been blocked in the server's firewall. Then we go to the cPHulk at WHM by referring to Home " Security Center " cPHulk Brute Force Protection and clicking on the "History Reports"; No entries would be found there for the searched IP. At the end we go to the database tables by referring to the Home " SQL Services] " phpMyAdmin. Then finding the "cphulkd" database and going to the "login_track" or "known_netblocks" or "ip_lists" table. There it is the IPs blocked by cPHulk and the reason they have been blocked. As you know the IPs are written in IPv6 form, so I convert the blocked IPv4 of our customers to the IPv6, then find the log(reason) the considered IP has been blocked. After ensuring that the IP is blocked and listed in the database, we enter the following command to remove it from the list and indeed activating the IP: # /scripts/hulk-unban-ip "IP address" here it is the output:
The system unblocked the IP address "IP address" successfully.When the IP is activated, the customer can access again to his/her website with high speed. The question is why is it happening? (having slow browsing speed and then getting blocked without any recorded logs in the WHM's cPHulk) Are there any solutions to access the logs instantly and having the IP removed from the list? Regards, Ardeshir Behbood.
-
There is a chance that a range of IPs too blocked . You may run the following command # iptables -L -b | grep xyz.
where xyz is the first quad of the ip address.0 -
Hello :) Have you tried searching for an affected IP address or username in the /usr/local/cpanel/logs/cphulkd.log file? It's possible the username itself is blocked, rather than the specific IP address. More information is available at: cPHulk Brute Force Protection - Documentation - cPanel Documentation Thank you. 0 -
Dear Syslint thanks for answering; but this is not the case. Also thank you Micheal. I've read the entire documentation. This issue happened again just now. One of our resellers declared that his IP address has been blocked. I checked the IP address and the username in /usr/local/cpanel/logs/cphulkd.log but there were no entries; then again I referred to PHPMyAdmin > the login_track table and I found 3 results for that IP ( he had unsuccessful login attempts with three different username); although he denied that he has done the said action. In the past there were no decelerating in the speeds when brute force attacks & ... happened, but now clients at first have their access speed reduced. Are you informed of that (have you applied that on purpose in the new version)? Warm Regards. A.B. 0 -
In the past there were no decelerating in the speeds when brute force attacks & ... happened, but now clients at first have their access speed reduced. Are you informed of that (have you applied that on purpose in the new version)?
cPhulk will not shape the speed of the user accessing a service. It seems like there might be an external firewall that's causing that issue. Have you consulted with your data center to verify if that's the case? Thank you.0 -
I talked to them, there wasn't any ,but hopefully the issue has been solved automatically. Have a nice weekend, A.B. 0 -
Feel free to let us know if you continue to experience this issue. Thank you. 0
Please sign in to leave a comment.
Comments
6 comments