mattgadient.com

WHM locked out – getting un-locked-out

I’ve had this happen a number of times… wrong password gets entered a few times, and BAM – locked out of WHM and unable to connect. Whether I goofed manually entering a password too many times, or my FTP client had the wrong password and tried to connect through SSH a pile of times, inevitably at some point I can’t get in.

Whitelisting only goes so far – the fact that I change IP addresses a lot (and am trying to remember which of the dozens of different passwords I might have used) doesn’t help.

Incidentally, WiredTree (my current VPS host) has been rather gracious (and fast) in getting me un-banned. They’re a great host in so many ways.

Anyway, there are a few possible ways to get back in all on your own, and I’ll mention a couple of them here.

 

METHOD #1 – SSH and manual unblocking in CSF and CPHULKD

Warning: Before messing with this stuff, make sure you’ve got good backups – if you don’t, it might be worth simply asking your host to unblock you from their end. While I’ve tried to be accurate here, it’s possible that I’ve made a mistake (or that the writeup will be messed up the next time I do a theme change), that you will make a mistake, or that your system is configured differently and that something will still bork your machine regardless. Proceed at your own risk!

1) SSH in as root. If it lets you, great. If not, you may be able to do so through another server you have SSH access to (since it’ll appear you’re logging in through the other server’s IP address). To do this, SSH into server2 and from there SSH into server1.

Regardless as to the route you go, once you’ve managed to SSH in, there are 2 common places where you may have been banned – csf and cphulkd.

WHITELISTING YOUR IP IN CSF

First, you’ll try to add your IP address to csf (the most common if you can’t even visit your websites on the server). It’s dead-simple. Type the following:

 csf -a xxx.xxx.xxx.xxx

(replace xxx.xxx.xxx.xxx with your current IP address)

If that’s where you were banned, you’ll see the following message:

Removing xxx.xxx.xxx.xxx from csf.deny and iptables DROP…
Adding xxx.xxx.xxx.xxx to csf.allow and iptables ACCEPT…

Now try accessing the server again. If it still doesn’t work, you’ll have to check cpuhulkd.

 

REMOVING YOURSELF FROM THE CPHULKD BLOCKLIST:

(note: credit for this solution comes from “thobarn” on the cpanel.net forums. Feel free to visit that page for the original, more detailed version which includes the command to back up the database).

To check cphulkd and remove yourself from the blacklist, type the following:

mysql

(prompt should change to “mysql>”)

use cphulkd;

(should say “Database changed”)
(in the next line, replace xxx.xxx.xxx.xxx with your ip address. Note that ` and are used in different places. ` is left of the 1 key on most keyboards and shares with the tilde (~). is the apostrophe you are probably accustomed to typing with.)

SELECT * FROM `brutes` WHERE `IP`=’xxx.xxx.xxx.xxx’;

(note: you should see your IP come up now. If instead it says “Empty Set”, you were NOT banned through cpuhulkd and don’t need to do the next DELETE line. If you got an ERROR message about your SQL syntax, you probably messed up your typing and will need to try again, remembering to use the correct ` and ; )

DELETE FROM `brutes` WHERE `IP`=’xxx.xxx.xxx.xxx’;

(again, replace the xxx.xx parts with your IP address. Remember, only do the DELETE line if it spit out your IP address when you did the SELECT)

quit

Hopefully, you’re unblocked now. Try logging into WHM – if it’s still not working, you’ve been blocked via some other method and may want to consider contacting your web host provider for support.

METHOD #2 – switching your IP address

The easiest method (doesn’t involve SSH) is to simply switch your IP address, at least temporarily. Before doing so, TAKE NOTE of your current IP address because you’ll probably want to whitelist it.

  1. If you’re at home, many ISP’s don’t give you a static IP and this is one case where that might actually work to your benefit. Reset your modem and you might end up with a new IP – try to get back in.
  2. Another option is to head to another location to log in. If you’re friendly with the neighbours or happen to be 5 minutes away from work, this could be an option.
  3. A slightly more dangerous option is to check the nearby wireless connections to see if there’s an unsecured wireless network around (a neighbour’s for example), and connect to it. Beyond the moral (and possibly legal) implications here, if somebody’s purposely left their connection unsecured for nefarious purposes, well… let’s just say it’s an option to be avoided. If you do go this route, be sure to disconnect from that network afterwards – if nothing else, your neighbour might be paying through the nose for data-transfer or having speed issues they can’t figure out, and leeching on to their internet access just plain isn’t nice.

Once you’ve connected via another IP, log into WHM and get to the cPHulk Brute Force Protection page (Main —> Security Center —> cPHulk Brute Force Protection).

From here, you can:

  • Whitelist yourself (Trusted IP List). Type in your IP address. If you’re only connected through another IP temporarily, make sure you enter the IP address you wrote down earlier!. Once you’ve typed in the IP address, click the “Quick Add” button, and you should be good to go. If there are other IP addresses you regularly connect from, you may want to add them as well. If your ISP doesn’t give you a static IP address it’s possible to enter a range, but I won’t go into the details here.
  • Edit the Blacklist (lower right of the picture) – It’ll bring up a page showing blacklisted IP addresses – make sure yours isn’t on it and delete if so!
  • Clear failed logins ( the “Flush DB” button). While I usually do this just to make sure I don’t have any problems, this will also flush all the naughty-people from the database who’ve been trying to break in, meaning they’ll get a few more attempts at your server if they’re still trying. Use at your own discretion.

Get back on your regular connection/IP, and hopefully you should be able to log in.

Ideally, you’ll be in and good-to-go at this point.

Feel free to leave a comment below, particularly if:

  • Something above has worked for you.
  • Something above hasn’t worked for you.
  • You know of additional methods (perhaps better methods!) that may help others.
  • I was blocked by my server and am able to login through another IP address. I found out cPHulk was disabled, so that’s definitely not my issue. I am trying to find where the CSF settings are located (this is new to me).

  • Marcos

    Thank you so mutch, this post save-me! I was ready to format my server when I found this. So good!

  • Thanks! I had too many incorrect attempts to log into WHM – then I thought my server was down. Turns out I was on the blacklist.