Mobile app version of vmapp.org
Login or Join
Deb1703797

: Any way I can fix this cphulk situation? I should probably sue the cpanel guys right about now. The point is, I'm receiving all these strange messages in my logs about cphulk (brute force

@Deb1703797

Posted in: #Cpanel #Linux #Performance #Server #Whm

I should probably sue the cpanel guys right about now.

The point is, I'm receiving all these strange messages in my logs about cphulk (brute force detection system) not being able to do its job of blocking bots, and as a result of this, I'm finding my website is functioning a tad slower, just enough for google to pay me [CO] again. Yes I'm over by between 10ms and 40ms and when I keep testing in webpagetest.org the numbers tend to change more wildly than before, so I'm pretty certain hackers are playing games.

Now onto the errors:

I check my maillog to see what is going on there and I see these kind of lines:

Feb 4 04:43:19 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user bar
Feb 4 05:31:06 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user base
Feb 4 06:18:47 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user besadmin
Feb 4 07:06:34 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user billing
Feb 4 07:54:13 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user bkupexec
Feb 4 08:41:58 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user blog
Feb 4 10:17:17 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user boffice
Feb 4 11:05:01 server dovecot: auth: Error: Cpanel::MailAuth: Failed to getpwnam for user book


and occasionally I receive lines like this:

server dovecot: auth: Error: Cpanel::MailAuth: Brute force checking was skipped because cphulkd failed to process "info@example.com" from IP "xxx.xxx.xxx.xxx" for the "smtp" service.


where xxx.xxx.xxx.xxx is the remote IP address.

I then check my FTP logs and see too many lines of the following:

Feb 4 00:59:58 server pure-ftpd: (?@202.153.39.52) [WARNING] Authentication failed for user [shell]
Feb 4 01:00:05 server pure-ftpd: (?@202.153.39.52) [WARNING] Authentication failed for user [shell]
Feb 4 01:00:16 server pure-ftpd: (?@202.153.39.52) [WARNING] Authentication failed for user [shell]
Feb 4 01:00:31 server pure-ftpd: (?@202.153.39.52) [WARNING] Authentication failed for user [shell]
Feb 4 01:00:48 server pure-ftpd: (?@202.153.39.52) [WARNING] Authentication failed for user [shell]
Feb 4 01:01:07 server pure-ftpd: (?@202.153.39.52) [ERROR] Too many authentication failures


I think there's like at least over several hundred of these FTP lines.

So I come to believe that cphulk is not doing its job properly of blocking bad robots. I have talked to the cpanel people directly about this issue and they say they want root access to my server to proceed. I don't want to provide anyone else root access to my server.

What steps can I take to literally reset cphulk so that it can do its job correctly?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Deb1703797

1 Comments

Sorted by latest first Latest Oldest Best

 

@Si4351233

Mike, am also faced same problem one month ago. some unwanted files(scripts), any plugin or some malware scripts are running your server(or hosting space). That file are taking your SMTP relay much more.

You should check your server SMTP report. and check whether the Brush-force attack happens, that means cphulkd-brutes list(IP address).

another one reason is your hostname is same as domain. so change your host-name something differ. ex: name.hostname.com

After that update/force restart your Server Cpanel vis SSH.
Login with PUTTY:
sudo su -
/scripts/upcp --force

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme