Knowledgebase / Control Panels

Regaining Server Access After a Brute Force Attack

Any server accessible to the outside world is susceptible to malicious access attempts via various methods. Brute Force Attacks (or Brute Force Cracking) is a trial and error method used by application programs to decode encrypted data such as passwords through exhaustive efforts rather than intellectual strategies.

cPanel, or more precisely WHM (Web Host Manager), has its own built-in Brute Force protection system called cPHulk. If a continued attack occurs, cPHulk will block the IP address from which the attack is originating for a set amount of time, denying access to the server. This time window increases with each recurring attack with cPHulk ultimately blocking root access to the server.

This document will show you how to regain access to your Simply Cloud Server if you are not able to access WHM or SSH due to a brute force attack.

Whitelisting Your IP Address

When first configuring WHM on your server, it is best to use a static IP address at your home or office that you can whitelist in cPHulk. This will allow you to always access WHM and clear a block in the event cPHulk locks down the root account.

  1. Log into WHM and go to Security Center / cPHulk Brute Force Protection. Click on Whitelist Management (see Screen 1).
    Screen 1
    (Screen 1)

Regaining Access to the Server

If you cannot access WHM using the root credentials, it is likely that you also cannot SSH to the server. The root account will be released once cPHulk realises the attacks have ceased.

If you can access your server via SSH:

Run the following command if you have access to a PC or device on a different IP address:
/usr/local/cpanel/etc/init/stopcphulkd stop

If you cannot access your server via SSH:

You will need to take the server offline into rescue mode, so the root password can be reset. If your sites are working fine, you may want to do this when there will be the least amount of disruption.

  1. Log into your Simply Cloud Customer Portal and put the server into rescue mode:
    Standard VPS/Dedicated Server users should go to:
    https://admin.simplyhosting.cloud/login

    Cloud users should go to
    https://cloud.simplyhosting.cloud
  2. Click on the server name in the blue box as shown in Example 1. If you're on Cloud, click Services first and then select the server in question (see Example 2).
    Example 1
    (Example 1)
    Example 2
    (Example 2)
  3. Next, click on the Tools option in the overview page of the server (see Example 3):
    Example 3
    (Example 3)
  4. On the Tools page (for Standard VPS/Dedicated Servers), click Reboot in to Rescue Mode. On the Tools drop down in Cloud, click on Rescue. You should receive a pop-up message confirming that you want to boot the server in rescue mode.
  5. The server will now reboot from the Simply Cloud network. Write down the root password that is displayed in your Simply Cloud Control Panel as rescue mode will use this as the new password for future steps.
  6. Once the status has changed to “Rescued,” you can access the server using putty/SSH, the main server IP address and the root credentials in your Simply Cloud Control Panel (see Screen 1).
    Screen 1
    (Screen 1)
  7. Mount your server disk in rescue mode by entering the following commands:

    fdisk –l

    The above command will list the available disks as shown below in Screen 2:
    Screen 2
    (Screen 2)
  8. Since the servers disk is /dev/xvda1 (as shown in Screen 2), start by creating a mounting point for the disk and then mount it in the Linux environment by using the following commands:

    mkdir /mnt/xvda1
    mount /dev/xvda1 /mnt/xvda1

    Next, chroot to the mounted directory so you can change the root password using the command:

    chroot /mnt/xvda1 bash

    You should notice the prompt changing (see Screen 3):
    Screen 3
    (Screen 3)
  9. Reset/change the root password by typing:

    passwd

    Enter the new password and confirm it by entering it again. NOTE: You will not see the prompt move when you enter the new password. The message highlighted in Screen 4 indicates the change was successful:
    Screen 4
    (Screen 4)
  10. Go back to the Simply Cloud Control Panel, and in the same place where you put the server into rescue mode, click Unrescue Server. This should reboot the server back into normal mode within a few minutes. You should now be able to access WHM and/or SSH using the new root password.

* The offer is £100 Cloud Hosting credit when purchasing any Cloud Hosting plan using the displayed voucher code. This credit is only redeemable for 30 days following the qualifying purchase. This offer is restricted to new customers only, cannot be applied to renewals and used in conjunction with any other offer and may be withdrawn at any time at the discretion of Simply Cloud Limited. Any customers who do not use the voucher code - 100CREDIT, will receive £10 credit, this credit is only redeemable for 30 days following the qualifying purchase. All prices displayed are exclusive of VAT, please note, for EU customers VAT rates payable will be subject to your country of residence.