In this article Iโm going to show you how you can fix a cPHulk Brute Force Protection lock out that you might have accidentally triggered.
Itโs my server, why would cPHulk block me?
If youโve read my previous article on how to enable cPHulk Brute Force Protection, then you should already know that cPHulk blocks login access to core cPanel services for a set amount of time. In some cases you might have kept trying to type in your password incorrectly, and inadvertently got yourself blocked by cPHulk.
Of course you can add your own IP address to the cPHulk white list to prevent failed login attempts coming from your IP to trigger a cPHulk blocking. But if youโve already gotten yourself blocked, then youโd need to wait the amount of time youโve set for a block to expire.
In this article Iโm going to explain how to SSH directly to your server to reset the cPHulk data, so that you can regain access again.
Just like itโs required to enable cPHulk Brute Force Protection, you also need root access to your server in order to reset the cPHulk data.
Reset cPHulk data to regain access
- Login to your server via SSH as the root user.
- Run the following command to see login attempts that have happened:
mysql -e โselect * from cphulkd.logins;โ
In this case we can see that we had some login attempts to an email account user@example.com from the IP address 123.123.123.123:
+โโโโโโ+โโโโโ+โโโ+โโโ+โโโโโโโ+
| USER | IP | SERVICE | STATUS | LOGINTIME |
+โโโโโโ+โโโโโ+โโโ+โโโ+โโโโโโโ+
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:25 |
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:29 |
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:39 |
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:41 |
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:48 |
| user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:54 |
+โโโโโโ+โโโโโ+โโโ+โโโ+โโโโโโโ+ - Next run the following command to find detected bruce force attempts:
mysql -e โselect * from cphulkd.brutes;โ
Here we can see that those email account login attempts cause a brute force block on the IP:
+โโโโโ+โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ+โโโโโโโ+โโโโโโโ+
| IP | NOTES | BRUTETIME | EXPTIME |
+โโโโโ+โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ+โโโโโโโ+โโโโโโโ+
| 123.123.123.123 | 5 failed login attempts to account user@example.com (mail) โ Large number of attempts from this IP: 123.123.123.123 | 2013-02-27 13:04:54 | 2013-02-27 13:09:54 |
+โโโโโ+โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ+โโโโโโโ+โโโโโโโ+If you wanted to, you could simply wait until the EXPTIME which is the expiration time that the block will expire, and then youโll be able to login again.
- If you wanted to go ahead and clear out the block, and regain access right away, then you can run the following commands to re-allow access for the 123.123.123.123 IP address:
mysql -e โdelete from cphulkd.logins where IP=โ123.123.123.123โฒ;โ
mysql -e โdelete from cphulkd.brutes where IP=โ123.123.123.123โฒ;โ
You should now understand how you can reset your cPHulk data so that you can regain access to your core cPanel services in the event you accidentally got yourself locked out.
That seems to be the preferred method according to a cPanel thread. Did it work for you? If not, please give any error messages received.
this line of code did not work for me
Thanks for your recommendation and feedback. Your contribution to the community is appreciated!
Iโm sorry to see that command did not work for you. What was the output/error you received?
this happened to me today, I got locked out of WHM by Hulk, but what I found was a much easier way for me to get access is use a VPN โ I use TunnelBear โ simply just choose a different location and thats it you can SSH, FTP, login and then can reset and fix everything.
i cannot access to the given commands in GCE
Sorry to see that. What is the error you are receiving when you run the command?
It appears that MySQL is able to be implemented with their services. However, cpHulk may not be.
Does the command work in Google Cloud Server instances SSH?