Account Locks Out Due to Brute Force Protection in cPanel WebHost Manager (WHM)

Occasionally, when user or website administrator attempts to login to cPanel’s WebHost Manager (WHM), or remote or local log in via Telnet or SSH to Linux console to the web server, the login is denied and not allowed. The following error message may appear.

This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.

The brute force protection on cPanel-powerd web host is provided by cPHulk, which prevents malicious forces from trying to access the server’s services by guessing the login password for that service. When an account on the system has experienced too many failed login attempts, the particular account will automatically been “protected” by forbidding further login attempts, including all-important root account. cPHulk Brute Force Protection will also block out an IP address which has been detected to send too many unauthorized logon attempts.

As a result, server’s owner are potentially been locked out of the server if the cPHulkd is enabled, even the wild-guessing brute force hacking is done by hackers in another corner of the world.

When WHM locks out an user account, especially “root”, the best way is to wait for 10 minutes to see if the account will be unlocked. If the locks persists, webmaster and administrator who still can remote login via SSH to the server as root can manually remove the lockouts via following steps:

1. Type mysql at console to access MySQL client.
2. At MySQL client prompt, enter the following commands (preceding with mysql>)one after one, pressing Enter each time:

   mysql> use cphulkd;

   Expected result: Database changed.

   mysql> BACKUP TABLE `brutes` TO ‘/path/to/backup/directory’;
   mysql> BACKUP TABLE `logins` TO ‘/path/to/backup/directory’;

   Above command will backup the brutes table, the main table used by cPHulk to record locked accounts and denied IP addresses.

   mysql> DELETE FROM `brutes`;
   mysql> DELETE FROM `logins`;

   Above commands will remove all blocked IP addresses and locked accounts from the system, enabling full access again. If you’re familiar with SQL statements, it’s possible to use WHERE clause to specify logins or IP address that you want to remove only.

   mysql> quit;

   Exit MySQL client.

If you can’t login to the server due to brute force protection, you probably have to contact web hosting service provider support to physically access the server to remove the Brute Force Protection. To avoid future blockage or lock out, it’s recommended to add own IP address as Trusted Hosts List whitelist in cPHulk Brute Force Protection. To do so, go to WHM -> Security -> Security Center -> cPHulk Brute Force Protection. Inside “Configure cPHulk”, click Trusted Hosts List link.

Related Articles

• cPanel Invalid License File After Changing Hostname Error
• Restore Full Backup or cpmove File in cPanel Web Host
• How to Add IP Addresses to Server with cPanel WebHost Manager (WHM)
• How to Restart (Stop or Start) cPanel Service (cpsrvd) via Telnet or SSH
• How to Change Hostname in cPanel Web Host
• Apache Status (whm-server-status) in cPanel WebHost Manager Returns Blank Page
• cPanel Update (upcp) Is Already Running Problem
• cPanel Unable or Cannot Start or Restart POP3 Mail Service
• cPanel WHM Failed to Receive Status Information From Apache Error
• cPanel Mail Main Account and Workaround to Disable

This entry was posted on Wednesday, July 1st, 2009 at 10:23 pm and is filed under Webmaster Resources. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.