User Tools

Site Tools


whm_chulkbruteforcelockout

see last modified date at base of all pages

How To Fix WHM - cPanel cHulk Brute Force Lock Out Via SSH


Here is quick tipes for cPanel/WHM

Note: These are not necessarily the best way but it is what we found works best for us.


If you or a client is getting the following error:

 Brute Force Protection
 This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try 
 again. Attempting to login again will only increase this delay. If you frequently experience this problem, we 
 recommend having your username changed to something less generic.
 But have been trying to log in a bit later and still receiving the message then you made need to take some 
 further action to resolve the issue.

cPHulk stores all of its information in a database called cphulkd. There are two tables of interest: logins and brutes. The logins table stores login authentication failures. The brutes table stores excessive authentication failures indicative of a brute force attack.

A way to see what's listed in there currently is through MySQL on command line:

   [user@server ~]$ mysql -u user -p
   mysql> connet cphulkd
   mysql> select IP, BRUTETIME from brutes order by BRUTETIME;
   mysql> select IP, LOGINTIME FROM logins order by LOGINTIME;
   This will give you a list of the IPs and the LOGINTIME they were entered into the database.

The first way to reconnect would be to disable cPHulk to regain access, log into WHM, clear out the the block by using the “Flush DB” option in the cPHulk settings page, and then re-enable cPHulk. A number of people recommended this method, but I didn’t like it. I certainly don’t want to disable a security measure that successfully protects the box just to be able to regain access. What would happen if a huge wave of brute force authentication attempts hit the box in the time between disabling and re-enabling cPHulk? The answer is that the box wouldn’t protest and would tell the attacking program whether each attempt was successful or not.

If you need to use this method, the two commands you will want to use are: /usr/local/cpanel/bin/cphulk_pam_ctl –disable and /usr/local/cpanel/bin/cphulk_pam_ctl –enable. These two commands will disable and enable cPHulk, respectively.

Here is a better method. This method does not require disabling cPHulk, and thus, does not require reducing protection to regain access. Essentially, clear the tables manually, so that you can log in once again.

While still connected to the database through the MySQL monitor, run a couple more queries.

   mysql> delete from brutes;
   Query OK, 0 rows affected (0.00 sec)
   mysql> delete from logins;
   Query OK, 32 rows affected (0.00 sec)

Now, log back into the account.

Ensure that your office isn't going to be blocked in the event that another brute force attack happens, so add your office to the whitelist. The whitelist supports both IP numbers and hostnames. So, if you have a dynamic IP, you can use a DDNS (Dynamic DNS) service to get your own hostname to use. Both DynDNS and No-IP offer reliable free solutions that provide you with a hostname to use. In addition, EveryDNS is a free DNS service provider that also offers the ability to create subdomains of your personal domain that can link to dynamic IPs. Many current routers support either DynDNS, No-IP, or both so that the router can handle updating the hostname automatically. Some router firmwares, such as Tomato support a much larger variety of DDNS services.

Another nice feature about using the DDNS services and whitelisting a hostname is that you can update that DNS pointer remotely. This means that if you get locked out of WHM when you are away from the location that is whitelisted, you can update the IP on the DDNS system, wait a few minutes for the IP to update, and then log into WHM via the whitelist.

https://www.westhost.com/knowledgebase/display/WES/How+To+Fix+WHM+-+cPanel+cPHulk+Brute+Force+Lock+Out+Via+SSH

whm_chulkbruteforcelockout.txt · Last modified: 2018/05/15 18:09 by 127.0.0.1