Friday, December 19, 2014

Reset CPHulk data to regain access

Login to your server via SSH as the root user.

Run the following command to see login attempts that have happened:

    mysql -e "select * from cphulkd.logins;"
    In this case we can see that we had some login attempts to an email account user@example.com from the IP address 123.123.123.123:

    +------------------+---------------+---------+--------+---------------------+
    | USER | IP | SERVICE | STATUS | LOGINTIME |
    +------------------+---------------+---------+--------+---------------------+
    | user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:25 |
    | user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:29 |
    | user@example.com | 123.123.123.123 | mail | 0 | 2013-02-27 13:04:39 |
    +------------------+---------------+---------+--------+---------------------+

    Next run the following command to find detected bruce force attempts:

   mysql -e "select * from cphulkd.brutes;"

    Here we can see that those email account login attempts cause a brute force block on the IP:

    +---------------+--------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
    | IP | NOTES | BRUTETIME | EXPTIME |
    +---------------+--------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+
    | 123.123.123.123 | 5 failed login attempts to account user@example.com (mail) -- Large number of attempts from this IP: 123.123.123.123 | 2013-02-27 13:04:54 | 2013-02-27 13:09:54 |
    +---------------+--------------------------------------------------------------------------------------------------------------------+---------------------+---------------------+

    If you wanted to, you could simply wait until the EXPTIME which is the expiration time that the block will expire, and then you'll be able to login again.

    If you wanted to go ahead and clear out the block, and regain access right away, then you can run the following commands to re-allow access for the 123.123.123.123 IP address:

    mysql -e "delete from cphulkd.logins where IP='123.123.123.123';"
    mysql -e "delete from cphulkd.brutes where IP='123.123.123.123';"
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)