cPHulk is a service that provides protection for your server against brute force attacks. A brute force attack is a hacking method that uses an automated system to guess the password to your web server or services.
When cPHulk blocks an IP address or account, it does not identify itself as the source of the block. Instead, the login page displays the same message as if you were trying to use incorrect access details: The login is invalid.
So if you were able to log in with the same login details before but now getting The login is invalid error, most likely you triggered cPHulk block.
cPhulk is monitoring login attempts to the following services:
POP3/IMAP/SMTP connections including email clients and webmail
SSH (cPHulk does not affect public key authentication)
cPHulk can automatically block:
IP addresses from which too many failed login attempts were noticed (to a single or several services at the same time)
accounts which are being actively abused by failed login attempts
3 types of block can be issued by cPHulk:
Temporary block - such block will expire after a specific amount of time set in the cPHulk configuration
One-day block - will occur specifically for 24 hours when a specific number of failed login attempts from a certain IP address was reached
Permanent block - will occur after triggering several temporary blocks. Can only be lifted manually.
cPHulk provides useful blocking logs for your convenience. There you can check which IP addresses/users were blocked and for which period:
A raw explanation of the entry log shown at the screenshot above can be the following:
There were too many failed login attempts via the SMTP protocol to the firstname.lastname@example.org email account from some device with an external IP address 188.8.131.52. It led to a 360-minute block (such period of time is specified in the Configuration tab). The block was issued at 05:04.22 and will expire in 345 minutes from now (or specifically at 11:04:22).
With these logs, you can troubleshoot the cause of the blocks and, for example, if suspicious log entries were found, blacklist the abuser’s IP address.
If you have Configure Server Firewall installed, it is also possible to enable automatic firewall IP blocks apart from cPHulk ones. The main difference between these blocks is that the firewall block will not allow server access at all. Make sure you whitelist your own IP address before enabling the automatic possibility of being locked out from your own server.
It is also possible to manage cPHulk from the command line interface via SSH. We suggest checking a corresponding cPanel manual as well.
Feel free to contact us if you require your IP address to be whitelisted in case of a false positive block.