In this article I’m going to show you how you can fix a cPHulk Brute Force Protection lock out that you might have accidentally triggered.
It’s my server, why would cPHulk block me?
If you’ve read my previous article on how to enable cPHulk Brute Force Protection, then you should already know that cPHulk blocks login access to core cPanel services for a set amount of time. In some cases you might have kept trying to type in your password incorrectly, and inadvertently got yourself blocked by cPHulk.
Of course you can add your own IP address to the cPHulk white list to prevent failed login attempts coming from your IP to trigger a cPHulk blocking. But if you’ve already gotten yourself blocked, then you’d need to wait the amount of time you’ve set for a block to expire.
In this article I’m going to explain how to SSH directly to your server to reset the cPHulk data, so that you can regain access again.
Just like it’s required to enable cPHulk Brute Force Protection, you also need root access to your server in order to reset the cPHulk data.
Reset cPHulk data to regain access
- Login to your server via SSH as the root user.
- Run the following command to see login attempts that have happened:
mysql -e “select * from cphulkd.logins;”
In this case we can see that we had some login attempts to an email account [email protected] from the IP address 126.96.36.199:
| USER | IP | SERVICE | STATUS | LOGINTIME |
| [email protected] | 188.8.131.52 | mail | 0 | 2013-02-27 13:04:25 |
| [email protected] | 184.108.40.206 | mail | 0 | 2013-02-27 13:04:29 |
| [email protected] | 220.127.116.11 | mail | 0 | 2013-02-27 13:04:39 |
| [email protected] | 18.104.22.168 | mail | 0 | 2013-02-27 13:04:41 |
| [email protected] | 22.214.171.124 | mail | 0 | 2013-02-27 13:04:48 |
| [email protected] | 126.96.36.199 | mail | 0 | 2013-02-27 13:04:54 |
- Next run the following command to find detected bruce force attempts:
mysql -e “select * from cphulkd.brutes;”
Here we can see that those email account login attempts cause a brute force block on the IP:
| IP | NOTES | BRUTETIME | EXPTIME |
| 188.8.131.52 | 5 failed login attempts to account [email protected] (mail) — Large number of attempts from this IP: 184.108.40.206 | 2013-02-27 13:04:54 | 2013-02-27 13:09:54 |
If you wanted to, you could simply wait until the EXPTIME which is the expiration time that the block will expire, and then you’ll be able to login again.
- If you wanted to go ahead and clear out the block, and regain access right away, then you can run the following commands to re-allow access for the 220.127.116.11 IP address:
mysql -e “delete from cphulkd.logins where IP=’18.104.22.168′;”
mysql -e “delete from cphulkd.brutes where IP=’22.214.171.124′;”
You should now understand how you can reset your cPHulk data so that you can regain access to your core cPanel services in the event you accidentally got yourself locked out.
Thoughts on “Fix cPHulk Brute Force Protection lock out”
this line of code did not work for me
Thanks for your recommendation and feedback. Your contribution to the community is appreciated!
I’m sorry to see that command did not work for you. What was the output/error you received?
this happened to me today, I got locked out of WHM by Hulk, but what I found was a much easier way for me to get access is use a VPN – I use TunnelBear – simply just choose a different location and thats it you can SSH, FTP, login and then can reset and fix everything.
i cannot access to the given commands in GCE
Sorry to see that. What is the error you are receiving when you run the command?
It appears that MySQL is able to be implemented with their services. However, cpHulk may not be.
Does the command work in Google Cloud Server instances SSH?