Thursday 16 July 2009

Brute Force Protection

While trying to browse the site, if you get this
--------------------------------------------------------------------------------------------
The requested URL /suspended.page/ was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
------------------------------------------------------------------------------------------
It could be due to due to Brute force attempt was detected.

Brute Force Protection
This account is currently locked out because a brute force attempt was detected.
Please wait 10 minutes and try again. Attempting to login again will only increase this delay.
If you frequently experience this problem, we recommend having your username changed to something less generic.

Solution / Fix

Account Locks Out Due to Brute Force Protection in cPanel WebHost Manager (WHM)


Occasionally, when user or website administrator attempts to login to cPanel’s WebHost Manager (WHM), or remote or local log in via Telnet or SSH to Linux console to the web server, the login is denied and not allowed. The following error message may appear.

This account is currently locked out because a brute force attempt was detected. Please wait 10 minutes and try again. Attempting to login again will only increase this delay. If you frequently experience this problem, we recommend having your username changed to something less generic.


The brute force protection on cPanel-powerd web host is provided by cPHulk, which prevents malicious forces from trying to access the server’s services by guessing the login password for that service. When an account on the system has experienced too many failed login attempts, the particular account will automatically been “protected” by forbidding further login attempts, including all-important root account. cPHulk Brute Force Protection will also block out an IP address which has been detected to send too many unauthorized logon attempts.

As a result, server’s owner are potentially been locked out of the server if the cPHulkd is enabled, even the wild-guessing brute force hacking is done by hackers in another corner of the world.

When WHM locks out an user account, especially “root”, the best way is to wait for 10 minutes to see if the account will be unlocked. If the locks persists, webmaster and administrator who still can remote login via SSH to the server as root can manually remove the lockouts via following steps:

  1. Type mysql at console to access MySQL client.
  2. At MySQL client prompt, enter the following commands (preceding with mysql>)one after one, pressing Enter each time:

    mysql> use cphulkd;

    Expected result: Database changed.

    mysql> BACKUP TABLE `brutes` TO ‘/path/to/backup/directory’;
    mysql> BACKUP TABLE `logins` TO ‘/path/to/backup/directory’;

    Above command will backup the brutes table, the main table used by cPHulk to record locked accounts and denied IP addresses.

    mysql> DELETE FROM `brutes`;
    mysql> DELETE FROM `logins`;

    Above commands will remove all blocked IP addresses and locked accounts from the system, enabling full access again. If you’re familiar with SQL statements, it’s possible to use WHERE clause to specify logins or IP address that you want to remove only.

    mysql> quit;

    Exit MySQL client.

If you can’t login to the server due to brute force protection, you probably have to contact web hosting service provider support to physically access the server to remove the Brute Force Protection. To avoid future blockage or lock out, it’s recommended to add own IP address as Trusted Hosts List whitelist in cPHulk Brute Force Protection. To do so, go to WHM -> Security -> Security Center -> cPHulk Brute Force Protection. Inside “Configure cPHulk”, click Trusted Hosts List link.