Posted on

cPanel Brute Force Protection – regaining access

cPanel comes with a great feature called brute force protection.  The problem is, if you mis-type your password 5x in a row or if you have multiple people in the office, like we do, that try to get into various services and they combine to have 5 missed passwords in a row (ssh, mail, and whm logins all quality) then you will lock yourself out of your system.   Here are some tips & tricks that will help you regain access.

Gaining Initial Access

The easiest and quite possibly ONLY way to get back into your system is by logging in from a different IP address.  Sometimes you can do this by re-initializing your modem/router if you are on a DHCP assigned address from your ISP.  This is usually the case for residential service from DSL companies like AT&T (no other choices, huh?  we feel sorry for your), Comcast, or Roadrunner.   If you are on a business class like and have static IP addresses assigned then your public-facing IP won’t change.   You can try to do a One-To-One NAT to give yourself a different static IP, but that assumes you have more than one and you have one that is not being used.   You can try tethering your phone, assuming you have a smart phone.  You can also try to hop on a neighbors open wifi network if you have wireless.   You can also drag your laptop to the local Starbucks and try from there.  If you are wired you have a lot less choices, either call your IPP (hosting company) and ask them to reset brute force protection OR call your ISP and have them assign you a new static IP (if you have only one, chances are you don’t have servers mapped).

To summarize : get on a different network!

  • Try resetting your modem/router if you are on a DHCP address from your ISP.
  • Assign your PC a different static IP if you have a static IP group.
  • Tether your phone.
  • Jump on the neighbor’s network. (ask first)
  • Bring your laptop to a public WiFi hot spot.
  • Call your ISP for a new IP.
  • Call your IPP and ask them to reset cPanel brute force.

Cleaning Out Specific Blocked Entries

If you can gain SSH access you can clean out the errant entries in the cphulkd database that drives brute force protection, entering your IP address in the where clause to find and remove your blocked IP:

# mysql
mysql> use cphulkd;
mysql> select * from brutes where ip LIKE '%<your-ip-or-start-of-ip-address>%';
check the returned list to make sure what you think is your blocked IP is actually on the list.
mysql> delete from brutes where ip LIKE '%<your-ip-or-start-of-ip-address>%';
mysql> quit

Restarting cpHulkd

After making any changes make sure you restart cpHulkd:

# /usr/local/cpanel/etc/init/stopcphulkd
# /usr/local/cpanel/etc/init/startcphulkd

Cleaning Out ALL Blocked Entries

This will reset the “good guys” and the “bad guys”, but if you need a quick fix, don’t want to disable brute force protection, and aren’t comfortable with MySQL command line then go to the  brute force protection interface in cPanel and click the “flush db” button.

Make Sure You Don’t Get Blocked Again

Login to cPanel and go to the brute force protection interface.  Look for the trusted IP list link.  Add your IPs to that list.

Also Running APF?

You will need to stop the apf process from running:

# service apf stop

Then add your good IPs to the whitelist:

# vi /etc/apf/allow_hosts.rules
Posted on

IP Based Firewall with cPanel

CPanel/WHM Based Systems

If you are using a web server from a web hosting company, chances are the CPanel/WHM is the system admin interface you use to manage your server.

The current revision of CPanel/WHM (Mar 5th, 2008) appears to rely on the host access file as a method of preventing access to the system. Access to iptables or ipchains rules is not readily apparent, however it is possible that we have overlooked these options.

Blocking An IP Range

The steps below will help you research who is connecting to your box and how to block them from gaining access to your system through software based IP blocking.

Real World Example

This implementation is based on our experiences after turning on the Logwatch utility on our web server. The logwatch report for PAM shows sshd authentication failures. From our most recent report:

--------------------- pam_unix Begin ------------------------
sshd:
  Authentication Failures:
     unknown (210.205.231.78): 45 Time(s)
     root (210.205.231.78): 10 Time(s)
     unknown (202.118.6.126): 9 Time(s)
     ftp (202.118.6.126): 4 Time(s)
     mail (202.118.6.126): 4 Time(s)
     root (c-68-58-191-51.hsd1.sc.comcast.net): 2 Time(s)
     apache (210.205.231.78): 1 Time(s)
     ftp (210.205.231.78): 1 Time(s)
     mysql (210.205.231.78): 1 Time(s)
     named (210.205.231.78): 1 Time(s)
     postgres (210.205.231.78): 1 Time(s)
  Invalid Users:
     Unknown Account: 54 Time(s)
---------------------- pam_unix End -------------------------

The first entry concerns us since there were 45 attempts to access our system that failed. We check the IP range doing a whois lookup (we use DNS Stuff to do our homework) to determine whether or not a general IP block makes sense. We then use CPanel/WHM utilities to shut down access from the offending IP.

Note: This procedure can prevent ANYONE from accessing your server, including yourself, if not done correctly. If you are not confident in your abilities do not even attempt this. Or as the boys like to say “Don’t attempt anything we’re about to do at home. EVER!”

WHM Host Access Control

Enlarge

WHM Host Access Control

  1. Run a DNSStuff whois lookup:
  2. Connect to our CPanel/WHM service via the web connection that our hosting company gave us (http://host.<domain>.com:2086).
  3. Click on the security icon
  4. Click on security center
  5. Click on host access control
  6. In the four entry boxes that are presented, type:
    • daemon : ALL (do not let them connect to ANYTHING on this box, even the web ports)
    • access list: 210.205.231.78/255.255.255.0 (block anyone connecting from 210.205.231.*)
      • Based on our whois lookup we know that all ip addresses under the 210.205.231.* range are from a specific ISP in Korea. While all the users under that range may not be bad guys, we know from experience that the hackers may get a different IP next week as they tend to be assigned their IP address dynamically. We prefer to block a few of the good guys to shut down the one nuisance user. Your beliefs in the goodness of humanity may dictate a different strategy.
    • action: deny (versus allow which would always let them in regardless of other rules)
    • comment: Korea (you can enter whatever you’d like)
  7. Click Save Host Access List on the bottom of the screen

Go back into security center and click Host Access List. Verify your latest entry appears and that the data is correct. If it is entered incorrectly you may block legitimate users from accessing your system.

Turning On Logwatch

Logwatch notifications may not be enabled on your CPanel/WHM system. Logwatch tends to be running in the background but the notifications go to Never-Never Land by default. You will need to look in system notifications and enter an email address to actually see your messages.

Concepts

Software Based IP Blocking

Software based IP blocking is a method for preventing access to your system by using a program running on the target computer (the computer people are trying to hack) that intercepts the connection by hooking into the TCP/IP process flow.

Software based IP blocking will consume CPU resources and memory on the target box. It can also be susceptible to hacking, although this is unusual, because it is nothing more than another program that runs on the server. For these reasons, many people consider a separate hardware firewall appliance as the better solution.

However, many web hosting services do not offer external firewall appliances. Those that do may charge more than you are willing to spend on security. In these cases you can still protect yourself via a software based IP blocking program. The most common options on Linux boxes are to use a software based firewall (ipchains or iptables) or preventing connections via host access directives.

Implementation of these concepts is discussed elsewhere on this page.