Help and Knowledge

Control Panel

Control Panels

Regaining Server Access After a Brute Force Attack

Any server accessible to the outside world is susceptible to malicious access attempts via various methods. Brute Force Attacks (or Brute Force Cracking) is a trial and error method used by application programs to decode encrypted data such as passwords through exhaustive efforts rather than intellectual strategies.

cPanel, or more precisely WHM (Web Host Manager), has its own built-in Brute Force protection system called cPHulk. If a continued attack occurs, cPHulk will block the IP address from which the attack is originating for a set amount of time, denying access to the server. This time window increases with each recurring attack with cPHulk ultimately blocking root access to the server.

This document will show you how to regain access to your Tagadab Server if you are not able to access WHM or SSH due to a brute force attack.

Whitelisting Your IP Address

When first configuring WHM on your server, it is best to use a static IP address at your home or office that you can whitelist in cPHulk. This will allow you to always access WHM and clear a block in the event cPHulk locks down the root account.

  1. Log into WHM and go to Security Center / cPHulk Brute Force Protection. Click on Whitelist Management (see Screen 1).

    Log in

    Screen 1

Regaining Access to the Server

If you cannot access WHM using the root credentials, it is likely that you also cannot SSH to the server. The root account will be released once cPHulk realises the attacks have ceased.

If you can access your server via SSH:

Run the following command if you have access to a PC or device on a different IP address:
/usr/local/cpanel/etc/init/stopcphulkd stop

If you cannot access your server via SSH:

You will need to take the server offline into rescue mode, so the root password can be reset. If your sites are working fine, you may want to do this when there will be the least amount of disruption.

  1. Log into your Tagadab Customer Portal and put the server into rescue mode:

    Standard VPS/Dedicated Server users should go to:
    https://control-panel.tagadab.com/login

    Cloud users should go to:
    https://cloud.tagadab.com

  2. Click on the server name in the blue box as shown in Example 1. If you're on Cloud, click Services first and then select the server in question (see Example 2).

    Server Name

    Example 1



    Cloud Server

    Example 2

  3. Next, click on the Tools option in the overview page of the server (see Example 3):

    Tools Option

    Example 3

  4. On the Tools page (for Standard VPS/Dedicated Servers), click Reboot in to Rescue Mode. On the Tools drop down in Cloud, click on Rescue. You should receive a pop-up message confirming that you want to boot the server in rescue mode.
  5. The server will now reboot from the Tagadab network. Write down the root password that is displayed in your Tagadab Control Panel as rescue mode will use this as the new password for future steps.
  6. Once the status has changed to “Rescued,” you can access the server using putty/SSH, the main server IP address and the root credentials in your Tagadab Control Panel (see Screen 1).

    Access via putty/SSH

    Screen 1

  7. Mount your server disk in rescue mode by entering the following commands:

    fdisk –l

    The above command will list the available disks as shown below in Screen 2:

    fdisk -l

    Screen 2

  8. Since the servers disk is /dev/xvda1 (as shown in Screen 2), start by creating a mounting point for the disk and then mount it in the Linux environment by using the following commands:

    mkdir /mnt/xvda1
    mount /dev/xvda1 /mnt/xvda1

    Next, chroot to the mounted directory so you can change the root password using the command:

    chroot /mnt/xvda1 bash

    You should notice the prompt changing (see Screen 3):

    Server mount point

    Screen 3

  9. Reset/change the root password by typing:

    passwd

    Enter the new password and confirm it by entering it again. NOTE: You will not see the prompt move when you enter the new password. The message highlighted in Screen 4 indicates the change was successful:

    Change password

    Screen 4

  10. Go back to the Tagadab Control Panel, and in the same place where you put the server into rescue mode, click Unrescue Server. This should reboot the server back into normal mode within a few minutes. You should now be able to access WHM and/or SSH using the new root password.

 Back to Top