cpHulk suddenly blocking logged-in webmail account

ryodo

• April 11, 2016 12:07

Hi All - Two weeks ago cpHulk started blocking my RoundCube webmail account sporadically. I wasn't watching to see if a new version of WHM had been installed. The only recent security configuration change was to enable two-factor authentication on individual cPanel accounts. We're running WHM 54.0 (build 21), with both cpHulk and CSF, which have been running nicely together for years. Looking at the cpHulk history of failed logins, I see many entries for my address before the point I get locked out, even when I've been signed in for a couple of days. I also see multiple "failed" entries for others, who are using Mac Mail, but when I ask them they say they haven't had any login issues. The IP addresses listed in the "failed logins" history are the correct ones for the associated email addresses. At the point where I used to get the "invalid token" messages, first I get an "unable to load" message, then a database failure message, then invalid login, so it appears to be some kerfuffle resulting from the thrashing around the expired token. I then have to go into cpHulk and clear history and blocked logins to get my mail. Any ideas why this happens, and how to fix it?

• 

  cPanelMichael

  • April 11, 2016 19:37

  Hello :) Could you review /var/log/maillog and /usr/local/cpanel/logs/cphulkd.log for the corresponding time when the account is locked to see what the log output shows? Thank you.

  0
• 

  ryodo

  • April 11, 2016 23:32

  Hello :) Could you review /var/log/maillog and /usr/local/cpanel/logs/cphulkd.log for the corresponding time when the account is locked to see what the log output shows? Thank you.

  
  Thank you for responding quickly! Yes, maillog shows several logged-out messages for my account, then a second later the block. I forgot to mention that we recently switched from courier to dovecot, but that was weeks before the new blocking issue. The logs show I started getting blocked on 3/24/2016. >>> maillog >>> I've deleted intervening spamd and pop3 notices: Apr 11 13:53:27 cp dovecot: imap(me@my.com): Logged out in=274, out=5449, bytes=274/5449 ... Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=146, out=2512, bytes=146/2512 Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=4068, out=8871, bytes=4068/8871 Apr 11 13:53:33 cp dovecot: imap(me@my.com): Logged out in=724, out=3978, bytes=724/3978 spamd and pop3 logins ...... Apr 11 13:54:52 cp dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'me@my.com' to access service 'mail' from IP '::1' spamd ... Apr 11 13:54:54 cp dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=, method=PLAIN, rip=::1, lip=::1, secured, session= >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>> cphulkd.log - several entries today >>> [2016-04-11 13:27:53 -0700] info [cphulkd] 16399 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (6/5 failures) (blocked until [Mon Apr 11 20:32:53 2016 UTC/Mon Apr 11 13:32:53 2016 LOCAL]) [2016-04-11 13:54:52 -0700] info [cphulkd] 22565 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (5/5 failures) (blocked until [Mon Apr 11 20:59:52 2016 UTC/Mon Apr 11 13:59:52 2016 LOCAL]) [2016-04-11 13:57:53 -0700] info [cphulkd] 22991 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (6/5 failures) (blocked until [Mon Apr 11 21:02:53 2016 UTC/Mon Apr 11 14:02:53 2016 LOCAL]) [2016-04-11 14:30:52 -0700] info [cphulkd] 28062 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (21/5 failures) (blocked until [Mon Apr 11 21:35:52 2016 UTC/Mon Apr 11 14:35:52 2016 LOCAL]) [2016-04-11 14:33:53 -0700] info [cphulkd] 28383 Login Blocked: Too many failures for this username for this authentication database. [Service]=[imap] [Local IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Remote IP Address]=[0000:0000:0000:0000:0000:0000:0000:0001] [Authentication Database]=[mail] [Username]=[me@my.com] (22/5 failures) (blocked until [Mon Apr 11 21:38:53 2016 UTC/Mon Apr 11 14:38:53 2016 LOCAL])

  0
• 

  cPanelMichael

  • April 12, 2016 19:24

  Hello :) Internal case CPANEL-5175 addresses an issue where cPHulk logs successful logins as failed logins when Two-Factor authentication is enabled on the system, and the IP from which the successful login takes place is whitelisted in cPHulk: Fixed case CPANEL-5175: CPHulk: Ensure successful logins are not improperly marked as failed. The resolution is included in cPanel version 56, which is currently available on the "Edge" and "Current" build tiers. The temporary workaround is to disable "Two-Factor Authentication" if you prefer to remain on version 54. Thank you.

  0
• 

  ryodo

  • April 12, 2016 23:01

  Thank you for letting me know!

  0

Please sign in to leave a comment.