Issue WHMCS - Client Area login - Permission denied due to rate limit ?

[yabado]

Server operating system version

Centos 7.9

Plesk version and microupdate number

Plesk Obsidian 18.0.70 Update #1

I am using the plesk module in an older version of WHMCS and in the past couple days my login button stopped working.

Where the button should be reads the following...

Error code: 0. Error message: Unable to find appropriate manager for this version of Panel. Plesk should be at least 8.0 version.

and the Module log reads like this ...

<?xml version="1.0"?>
<packet version="1.0.0.0">
<system>
<status>error</status>
<errcode>1010</errcode>
<errtext>Permission denied due to rate limit</errtext>
</system> </packet>

Anyone have any ideas what could be going on? I have searched and cannot find any details of this in WHMCS or Plesk forums.

If there is a "rate limit" where can I go to increase it?

 

[yabado]

After much digging it looks like it is the new brute force "feature" added with Plesk Obsidian 18.0.70.

https://support.plesk.com/hc/en-us/articles/32709880422039-How-to-configure-rate-limiting-for-login-attempts-in-Plesk

I set it to false and so far the problem has gone away.

This "feature" looks like it still needs work and has bugs. This is happening on API logins that I know are 100% correct.

 

[Sebahat.hadzhi]

Hello, @yabado . Would you mind sharing the WHMCS version you are using so we can attempt to reproduce the issue on our end? Thank you in advance.

 

[yabado]

7.4.2

It's pretty old, but kept it before the subscription model started.

 

[Sebahat.hadzhi]

Thank you for the confirmation. Since it is EOL and is no longer supported or maintained, I believe that we are not going to allocate resources towards ensuring compatibility with it. Nevertheless, I am glad to hear the issue was sorted out after disabling the new feature.

 

[websavers]

We have reproduced the identical issue with WHMCS 8.13.1 (latest) and Plesk 18.0.70 Update #1

 

[websavers]

How do we get this fixed now that you know it's still occurring with the most recent version of WHMCS? In particular, if the passwords are correct, why does it seem to be rate limiting API access?

 

[Sebahat.hadzhi]

I will consult with our team about the issue so we can attempt to reproduce it and further investigate it. Just to make sure I understand correctly, you are also experiencing issue with the login button not functioning and you are getting blocked after successful login attempts? For the time being, please keep the bruteforceProtection.enabled option disabled to avoid any further issues.

 

[websavers]

Hey @Sebahat.hadzhi - thanks for the update. We're still working on determining the source of the issue as it's not occurring for all clients. It may be that a 3rd party extension that still uses standard password authentication is triggering this, possibly only when the saved password for Plesk (in WHMCS) is incorrect, which would be a legitimate reason for Plesk to block it. Will update when I know more.