How to un-ban yourself when cPHulk thinks you’re an intruder

I am a little embarrassed to admit this, but the other day I tried to log in to WHM from an IP address I don’t normally use and attempted to use a password that didn’t go to the root account I was attempting to access.  Needless to say, since I use the built-in cPHulk as my first (but not only) method of brute-force attack protection (as should you), after a few incorrect attempts to log in, WHM banned my IP address completely and I could no longer log in.

Now, normally, I’d be logging in from a whitelisted IP address and I wouldn’t have to worry about this, but I needed to do something urgently on my server and was using a different machine than I normally would to try to get in to WHM.  Since this was urgent, I really needed to get in and couldn’t afford to wait 60 minutes for the ban to be released on the IP address I was connecting from.

What do you do if this happens?  How can you log in when your account is blocked, especially if it is the root account that’s been banned?

After a little searching, I found the answer, and I’m sharing it with you today in case this slightly embarrassing situation ever happens to you…

REQUIRES: Server root access
TIME REQUIRED: 5-10 minutes
DIFFICULTY: LOW
DANGER: LOW

INSTRUCTIONS
1. Log in to your server via SSH as root.  This should still be allowed because cPHulk blocks access to cPanel/WHM, not the server shell itself.  (If another product such as the awesome csf/lfd firewall product has blocked you, however, you may not be so lucky)

2. Issue this command at the prompt:
/usr/local/cpanel/etc/init/stopcphulkd

3. Leave the SSH session open and go to your browser.  You should now be able to log in through WHM.  Log in to WHM as root.

4. From the main screen of WHM click “Security Center”, then click “cPHulk Brute Force Protection”, then click “Flush DB”.  This action will clear out all IP address bans currently in effect with cPHulk.  Alternately, you could click on “White/Black List Management” and then “Edit Blacklist” to find and remove only your IP address, but the first method is the easiest unless you know you are actively under attack by a would-be intruder.

5. Log out of WHM and go back to your SSH session that you left open in step 3.  Issue this command at the prompt:
/usr/local/cpanel/etc/init/startcphulkd

6. Try and Log In to WHM again.  You should be able to with no problem and your system is still secure against brute-force attacks from others.  If you’ll be using this IP address in the future to connect to WHM and the IP address is in a secure, non-public place, you might want to add the IP address to your cPHulk whitelist so this doesn’t happen again in the future.  To do this, go to Security Center -> cPHulk Brute Force Protection -> White/Black List Management -> Edit Whitelist.  You should be prompted near the top to add your current IP to the list.  Click where indicated and you should be all set!

What you did in the instructions above was to simply stop the cPHulk service from running.  With it disabled, you could safely log in to WHM again without being blocked.  You then removed the instructions that told cPHulk that your IP Address was an “intruder” by “flushing” the database.  Finally, you restarted the cPHulk service so it could begin protecting you from would-be intruders again, sans your IP address.  You were then able to log in again.

While it can be frustrating and a bit humbling to be banned from your own system, it is good to know that your system is doing its job properly and that you can easily fix your permission problem with a little easy command-line work.

Have you ever been banned from your own system by strict security rules before?  How did you cope with the computer-generated wrist-slap?  Let us know by commenting below!