LFD block email address instead of complete IP on many wrong logins

Post Reply
matalqah
Junior Member
Posts: 4
Joined: 09 Dec 2018, 13:33

LFD block email address instead of complete IP on many wrong logins

Post by matalqah »

Hi all,

I suggest that if it's possible to add an option in the CSF to block the desire email address only on many wrong SMTP/IMAP/POP3 logins instead of blocking the whole IP , in both directadmin and CPanel . It can be an email address suspension with a notification email .

Since the current blocking the whole IP causes all other company employees under the same IP to be blocked also , and it takes time from them to realise that and communicate with us to unblock it .

And we don't want to just whitelist the IP , since it's a non-static IP , it changes over the time .


Thanks
Firewalls4Life
Junior Member
Posts: 73
Joined: 21 Nov 2011, 18:43

Re: LFD block email address instead of complete IP on many wrong logins

Post by Firewalls4Life »

Do you mean disable the specific email account, or disable the main cPanel account itself, or do you mean block the IP address attempting to connect in with SMTP/IMAP/POP3?
matalqah
Junior Member
Posts: 4
Joined: 09 Dec 2018, 13:33

Re: LFD block email address instead of complete IP on many wrong logins

Post by matalqah »

Hi

Thanks irewalls4Life for your comment.

What i meant is disabling the targeted email account only and sending an email notification to the CPanel account admin , in this way the other emails under the same CPanel account are not affected and the targeted email issue can be noticed andresolved , since most of the cases it is an employee using a wrong password not an attack .

Thanks
Firewalls4Life
Junior Member
Posts: 73
Joined: 21 Nov 2011, 18:43

Re: LFD block email address instead of complete IP on many wrong logins

Post by Firewalls4Life »

Hello. Since the users all come from a single IP address at their office, and these users are trusted by you, what you can do is simply tell LFD to ignore taking action on failed logins from their IP address. Your firewall rules will still apply and secure your server, but the firewall will now no longer explicitly block their IP address.

Edit the file at:
/etc/csf/csf.ignore

And place their IP address inside, then save and restart CSF.

Code: Select all

127.199.198.7

You can even put notes next to the LFD ignore entry, so that you can identify the rule next time you go to edit the file, like this:

Code: Select all

127.199.198.7 # Corner Grocery Store, primary shared office IP address

Everything to the right of the # symbol is ignored, as long as you put it on the same line.
matalqah
Junior Member
Posts: 4
Joined: 09 Dec 2018, 13:33

Re: LFD block email address instead of complete IP on many wrong logins

Post by matalqah »

Thanks Firewalls4Life ,

This won't work , since most of my clients are using non-static IP Address internet subscription , so their Real IP is changing from time to time , so ignoring their IP won't be helpfull .

Also ignoring the real IP that in a time was assigned to my client will make a threat once it's switched to another user from the internet provider , in that time the new customer will have full access to the server since the IP is in the firewall Ignore list .

Regards
Firewalls4Life
Junior Member
Posts: 73
Joined: 21 Nov 2011, 18:43

Re: LFD block email address instead of complete IP on many wrong logins

Post by Firewalls4Life »

Hello,
Hello matalqah,

LFD Ignore IP feature is different and separate logic than CSF Allow firewall rule.

LFD ignore means failed login user does not cause their IP address to be blocked completely, however firewall rules still remain in place. It is not the same thing as CSF allow IP address.

Say you have ports 22, 25, 80, and 443 allowed by default from ANY IP address. A user fails login to SSH too many times... Normally that User would now become blocked completely and can no longer access any traffic -- blocked on 22, 25, 80, and 443. However, if you do LFD ignore, they will not become blocked on 22, 25, 80, and 443. It will still enforce all firewall rules to keep all ports closed except for ones you have open already... So the IP address of the client will NOT have full access to the server.

LFD Ignore is NOT the same as Firewall Allow All. LFD Ignore simply tells the firewall to never completely block an IP address due to failed login... but standard firewall rules will still apply.

---

Back to ideas about how to help your situation... I think maybe you could look at changing the thresholds in the LFD configuration. Raise the number of failed logins in a given time period that it takes to trigger the IP blocking. If it is 10 failed logins in 3600 seconds, change it to 100 failed logins in 3600 seconds.

I am just trying to come up with ideas to help.
matalqah
Junior Member
Posts: 4
Joined: 09 Dec 2018, 13:33

Re: LFD block email address instead of complete IP on many wrong logins

Post by matalqah »

Thanks Firewalls4Life,

LFD Ignore will help in case the client has a static IP , but i think won't be very helpful with Dynamic IPs.
About changing the threshold , it will help somehow , but the issue is that sometimes it's the wrong password in the outlook or mobile phone which will keep trying and cause the block again.

I do appreciate your ideas and it's really helpful , and i've posted this suggestion here to address an issue that we're facing daily with our clients , and it would be very helpful if it can be added to the CSF .

Regards
aegis
Junior Member
Posts: 12
Joined: 31 Jan 2010, 00:13

Re: LFD block email address instead of complete IP on many wrong logins

Post by aegis »

I would second this suggestion.

I come across a couple of scenarios where this causes an issue semi regularly.

The main one is a client has their email misconfigured on their phone. They walk in to work where it connects to wifi, blocking the entire office. Their office broadband does not have a static IP so can't be whitelisted.

The second is where their phone has switched IP so you end up with multiple IPs in the same class C. CSF will then block that entire class C meaning multiple people on the same mobile network operator are blocked.

Blocking IP addresses or an entire class C for failed mail logins is a very blunt instrument.
Post Reply