Help and Knowledge
Regaining Server Access After a Brute Force Attack
Any server accessible to the outside world is susceptible to malicious access attempts via various methods. Brute Force Attacks (or Brute Force Cracking) is a trial and error method used by application programs to decode encrypted data such as passwords through exhaustive efforts rather than intellectual strategies.
cPanel, or more precisely WHM (Web Host Manager), has its own built-in Brute Force protection system called cPHulk. If a continued attack occurs, cPHulk will block the IP address from which the attack is originating for a set amount of time, denying access to the server. This time window increases with each recurring attack with cPHulk ultimately blocking root access to the server.
This document will show you how to regain access to your Tagadab Server if you are not able to access WHM or SSH due to a brute force attack.
Whitelisting Your IP Address
When first configuring WHM on your server, it is best to use a static IP address at your home or office that you can whitelist in cPHulk. This will allow you to always access WHM and clear a block in the event cPHulk locks down the root account.
- Log into WHM and go to Security Center / cPHulk Brute Force Protection. Click on Whitelist Management (see Screen 1).
Regaining Access to the Server
If you cannot access WHM using the root credentials, it is likely that you also cannot SSH to the server. The root account will be released once cPHulk realises the attacks have ceased.
If you can access your server via SSH:
Run the following command if you have access to a PC or device on a different IP address:
If you cannot access your server via SSH:
You will need to take the server offline into rescue mode, so the root password can be reset. If your sites are working fine, you may want to do this when there will be the least amount of disruption.
- Log into your Tagadab Customer Portal and put the server into rescue mode:
Standard VPS/Dedicated Server users should go to:
Cloud users should go to:
- Click on the server name in the blue box as shown in Example 1. If you're on Cloud, click Services first and then select the server in question (see Example 2).
- Next, click on the Tools option in the overview page of the server (see Example 3):
- On the Tools page (for Standard VPS/Dedicated Servers), click Reboot in to Rescue Mode. On the Tools drop down in Cloud, click on Rescue. You should receive a pop-up message confirming that you want to boot the server in rescue mode.
- The server will now reboot from the Tagadab network. Write down the root password that is displayed in your Tagadab Control Panel as rescue mode will use this as the new password for future steps.
- Once the status has changed to “Rescued,” you can access the server using putty/SSH, the main server IP address and the root credentials in your Tagadab Control Panel (see Screen 1).
- Mount your server disk in rescue mode by entering the following commands:
The above command will list the available disks as shown below in Screen 2:
- Since the servers disk is /dev/xvda1 (as shown in Screen 2), start by creating a mounting point
for the disk and then mount it in the Linux environment by using the following commands:
mount /dev/xvda1 /mnt/xvda1
Next, chroot to the mounted directory so you can change the root password using the command:
chroot /mnt/xvda1 bash
You should notice the prompt changing (see Screen 3):
- Reset/change the root password by typing:
Enter the new password and confirm it by entering it again. NOTE: You will not see the prompt move when you enter the new password. The message highlighted in Screen 4 indicates the change was successful:
- Go back to the Tagadab Control Panel, and in the same place where you put the server into rescue mode, click Unrescue Server. This should reboot the server back into normal mode within a few minutes. You should now be able to access WHM and/or SSH using the new root password.