Jan 202010
 

Earlier a client was locked out of one of his server by cphulkd. When trying to access the servers WHM interface we were getting the following message:

—————————————————————————————
This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.
—————————————————————————————

we were also not able to access the server vis SSH as well. This is because of ‘cphulkd’, Cpanels Brute Force Protection service. This service monitors failed authentication attempts and locks out accounts after a certain number of attempts are made and failed and the threshold is met. To re-enable your account, login must be made via console at the datacenter or NOC and cphulkd disabled using the following commands below:


/usr/local/cpanel/bin/cphulk_pam_ctl –disable
/usr/local/cpanel/etc/init/safekill cphulk

This will then allow you to login to WHM and check your cphulk settings. You can then view the IP addresses that have been blocked by going to the WHM interface: WHM -> Security -> Security Center -> cPHulk Brute Force Protection in the Brutes table. On that screen, you can also customize brute force protection settings.

Flush DB will remove all blocked IPs:

WHM -> Security Center -> cPHulk Brute Force Protection -> Click on Flush DB

 Posted by at 5:21 am

 Leave a Reply