Thursday, 10 September 2015

Fix WHM/cPanel cPHulk Brute Force Protection Lock Out Via SSH

If you or a client is getting the following error:

=============================================
Brute Force Protection
This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.
=============================================

But have been trying to log in a bit later and still receiving the message then you made need to take some further action to resolve the issue.

cPHulk stores all of its information in a database called cphulkd. There are two tables of interest: logins and brutes. The logins table stores login authentication failures. The brutes table stores excessive authentication failures indicative of a brute force attack.

A way to see what's listed in there currently is through MySQL on command line:

===================================================
mysql> connect cphulkd
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id:    id
Current database: cphulkd

mysql> select IP, BRUTETIME from brutes order by BRUTETIME;
Empty set (0.00 sec)

mysql> select IP, LOGINTIME FROM logins order by LOGINTIME;
+---------------------------------+---------------------+
| IP                              | LOGINTIME           |
+---------------------------------+---------------------+
| 220.199.6.48                    | 2009-10-14 11:23:10 |
| 220.199.6.48                    | 2009-10-14 11:23:10 |
| 220.199.6.48                    | 2009-10-14 11:23:10 |
| 118.212.186.59                  | 2009-10-14 11:23:40 |
| 118.212.186.59                  | 2009-10-14 11:23:40 |
| 118.212.186.59                  | 2009-10-14 11:23:40 |
| djdeatheater.liquidweb.com      | 2009-10-14 11:24:03 |
| 221.7.58.37                     | 2009-10-14 11:24:07 |
| 221.7.58.37                     | 2009-10-14 11:24:07 |
| 221.7.58.37                     | 2009-10-14 11:24:07 |
| djdeatheater.liquidweb.com      | 2009-10-14 11:24:09 |
| djdeatheater.liquidweb.com      | 2009-10-14 11:24:15 |
| mail.ingener.com                | 2009-10-14 11:24:53 |
| mail.ingener.com                | 2009-10-14 11:24:57 |
| 123.147.144.45                  | 2009-10-14 11:25:16 |
| 123.147.144.45                  | 2009-10-14 11:25:16 |
| 123.147.144.45                  | 2009-10-14 11:25:16 |
| 119.62.128.42                   | 2009-10-14 11:25:41 |
| 119.62.128.42                   | 2009-10-14 11:25:41 |
| 119.62.128.42                   | 2009-10-14 11:25:41 |
| pomme.sai.msu.ru                | 2009-10-14 11:26:13 |
| pomme.sai.msu.ru                | 2009-10-14 11:26:13 |
| pomme.sai.msu.ru                | 2009-10-14 11:26:13 |
| 84-74-21-119.dclient.hispeed.ch | 2009-10-14 11:26:48 |
| 84-74-21-119.dclient.hispeed.ch | 2009-10-14 11:26:48 |
| 84-74-21-119.dclient.hispeed.ch | 2009-10-14 11:26:48 |
| 114.143.242.51                  | 2009-10-14 11:27:23 |
| 114.143.242.51                  | 2009-10-14 11:27:23 |
| 114.143.242.51                  | 2009-10-14 11:27:23 |
| 222.179.116.53                  | 2009-10-14 11:27:47 |
| 222.179.116.53                  | 2009-10-14 11:27:47 |
| 222.179.116.53                  | 2009-10-14 11:27:47 |
+---------------------------------+---------------------+
32 rows in set (0.00 sec)
===================================================

This will give you a list of the IPs and the LOGINTIME they were entered into the database.

The first way to reconnect would be to disable cPHulk to regain access, log into WHM, clear out the the block by using the “Flush DB” option in the cPHulk settings page, and then re-enable cPHulk. A number of people recommended this method, but it is not secure for the server. What would happen if a huge wave of brute force authentication attempts hit the box in the time between disabling and re-enabling cPHulk? The answer is that the box wouldn't protest and would tell the attacking program whether each attempt was successful or not.

If you need to use this method, the two commands you will want to use are: 

/usr/local/cpanel/bin/cphulk_pam_ctl --disable and 
/usr/local/cpanel/bin/cphulk_pam_ctl --enable. 

These two commands will disable and enable cPHulk, respectively.

Here is a better method. This method does not require disabling cPHulk, and thus, does not require reducing protection to regain access. Essentially, clear the tables manually, so that you can log in once again.

While still connected to the database through the MySQL monitor, run a couple more queries.

mysql> delete from brutes;
Query OK, 0 rows affected (0.00 sec)

mysql> delete from logins;
Query OK, 32 rows affected (0.00 sec)

Now, log back into the account.

If you’re not comfortable doing it on a command line or do not have an SSH access at all, you can login to your WebHost Manager/WHM and flush the brutes database from there.

Don’t forget to add your IP address or network address to your whitelist list.

Whitelisted IP address or network address will be allowed access when others are lockout in the system should brute force is detected.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)