Sometimes a lot of bad guys want to break into our servers by brute force, trying to probe user names and to guess the password for one of the user accounts we are maintaining.
As it happens, the number of these attempts may reach the boundary that has been set in the cPHulk Brute Force Protection configuration area for ‘Maximum Failures By Account’. When this occurs, you cannot login with this user into your cPanel GUI. You may even be unable to enter the server via ssh if the cphulk daemon is running (usually it does).
BTW: If access via ssh is possible, one can check this by issuing
ps aux | grep -i "cphulkd - process"So the first task is to get access via ssh again. The easiest solution I have come across so far is – wait. There is a ‘Brute Force Protection Period in minutes’ period which can be set to 10, 15, 60 minutes or any other time period you like. You will simply have to wait and check from time to time whether you will be allowed to set your foot in the door again, hoping your attackers will finally give up on your excellent password and nobody will try it again within the given period. That’s boring? Yes.
I think, a better approach is to set up a key-based login for your main users (a good idea, anyway) or to create a spare user whose name is not so easy to guess as, for instance, ‘root’ or ‘admin’.
When you have finally reached your ssh console and you can see your familiar server prompt again, do a silent prayer and decide for one of the following ways to (temporarily) solve the issue:
- Add your IP address to the cpHulk whitelist
Open your MySQL console, switch over to the cphulkd database and add your IP address or only a part of it to the whitelist table.mysql -uadmin -p mysql> use cphulkd mysql> insert into whitelist values ('192.168.1.0/24',1); - Kill the cpHulk daemon or disable it
I would prefer the whitelist way, because your system is pretty naked once your cpHulk is completely shot down. Anyway, you can do it viafor i in `ps aux | grep -i "cphulkd - process" | awk {'print $2'}` ;do kill -9 $i ;doneIf you want to get rid of this protection altogether – disable it:
/usr/local/cpanel/bin/cphulk_pam_ctl --disable(see also: login-invalid-276062.html)
As soon as this is done, you can enter the cPanel GUI again. Probably you may want to increase the ‘Maximum Failures By Account’ value a bit…