Configuring cPHulk and unblocking your IP

Brute force is an attack (hacking) method that involves using an automated system to guess the password of your web server or services. cPHulk provides protection against such attacks.

WHM/cPanel has a service called “cPHulk Brute Force Protection” that protects you from Brute Force attacks. If someone repeatedly enters an incorrect password then cPHulk blocks such IP and sends message to the root contact of the server.

You can enable / disable cPhulk brute force protection via WHM :

1) Login to WHM
2) Access Home >> Security Center >> cPhulk Brute Force Protection
3) You can click “Enable” to enable cPhulk

If cPHulk locks you out, there are two ways to whitelist to your IP address in cPHulk :-

Via WHM :

1) Go to WHM Main, then to Security Center, and select cPHulk Brute Force Protection.
2) Go to “White/Black List Management” Tab.
3) Enter the IP in “White List (Trusted IP List)” and press “Quick Add”.

Via MysQL :

Remove cPHulk Brute Force blocked ip address via MySql prompt by following these steps.

1) Login to your server via SSH as the root user
2) Type ‘mysql’, and you will see a prompt as

-bash-4.1# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 216694
Server version: 5.1.70-cll MySQL Community Server (GPL)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.


3) cPHulk stores all of its information in a database called cphulkd. You have to type the following command to access cPhulk’s database :

mysql> use cphulkd

4) Following command shows you list of tables under cPhulk’s database :

mysql> show tables; 

5) There are two tables of interest: "logins" and "brutes"

* The logins table stores login authentication failures.
* The brutes table stores excessive authentication failures indicative of a brute force attack.  If you want to whitelist the IP address which are blocked. You need to check in tables “brutes and logins”

Command to check if your IP address is in brutes tables :

mysql> select * from brutes where IP = ‘X.X.X.X'; (Note : Replace “X.X.X.X” field with your IP address)

If your ip address found brutes tables, then use the following command to remove it.

mysql> delete from brutes where IP = ‘X.X.X.X';
Query OK, 1 rows affected (0.00 sec)

You can do the same for the logins table -

mysql> delete from logins where IP = ‘X.X.X.X';
Query OK, 1 rows affected (0.00 sec)

6) mysql> quit

7) You can now try to login your WHM or webmail or cPanel.


cPHulk reports can also be used as a monitoring tool for access to your server. You can check the logs to see if someone else had attempted to login to your WHM:

1) Go to WHM Main, then to Security Center, and choose cPHulk Brute Force Protection.
2) Go to “Login/Brute History Report” Tab. 

Look at the “User” and “IP” columns to know who all tried to connect. You should block any suspicious IP via “White/Black List Management” tab > “Black List (Rejected IP List)”.