IMAP/POP3 failed login IP block is not working

7 posts Page 1 of 1
sreenath_v
Junior Member
Posts: 1
Joined: 15 Mar 2018, 11:50


Hi,

I tried to configure failed IMAP and POP3 login IP blocks in CSF config, by setting the following directives.

LF_IMAPD = "10"
LF_IMAPD_PERM = "120"

LF_POP3D = "10"
LF_POP3D_PERM = "120"

But it doesn't work and the IP is not getting blocked in CSF when checked using csf -g <IP_Address>. I have verified that the IMAP/POP3 login attempts from the IP have exceeded the limit set(10), from the corresponding logs at '/var/log/maillog' .

It is working fine for SMTP when the below values are set,

LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "120"

With the above settings in place, the IP is getting blocked when it exceeds 10 SMTP failed logins and gets unblocked again in 2 minutes as per the 'LF_SMTPAUTH_PERM' value set.

But the same is not happening with both IMAP and POP3. The IP is not even getting blocked after 10 failed logins. Unlike SMTP, I noticed the above comments on top of both IMAP and POP3 sections,

# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:

The 'RESTRICT_SYSLOG' was enabled earlier and set to 3 in my csf.conf. I tried to to disable it by changing the value to both 0 and 2, but still the LF_IMAPD and LF_POP3D settings have no effect and the IPs are not getting blocked after failed logins.

I am trying to adjust the CSF settings to 10 login retries and 2 minutes temporary ban for IMAP, POP and SMTP protocols. SMTP is fine now and is there any further settings that need to be modified in order to get IMAP and POP3 working?

I tried to enable some other settings like LF_TRIGGER and LT_IMAPD, but the IPs are still not getting blocked.

Any help or suggestions would be appreciated.

Thanks!
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52


What are the exact errors in the log? It might be that CSF/LFD are not able to pick it up and you need to configure a custom regex.
viewtopic.php?f=6&t=7517
Pedro
Junior Member
Posts: 4
Joined: 29 Mar 2018, 15:48


Hello,

I am having the same problem, our servers are working with centos7 with cPanel and the CSF blocking settings are not working, even putting limitation of failed attempts, IP is not blocked.


[2018-03-28 14:33:15 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:17 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:17 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:18 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:18 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:19 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:20 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:20 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:20 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:21 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:21 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:22 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:22 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:22 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:22 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:22 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:23 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:23 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:23 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:24 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:24 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:24 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:24 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:25 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:25 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:25 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:25 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:26 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:26 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:26 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:26 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:27 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:27 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:28 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:28 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:28 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:28 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:28 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:29 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:29 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:29 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:29 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:30 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:30 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:30 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:30 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
ForumAdmin
Moderator
Posts: 1432
Joined: 01 Oct 2008, 09:24


We're unable to replicate any such problem:
Code: Select all
# grep 187.82.244.164 /usr/local/cpanel/logs/login_log
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
[2018-03-28 14:33:31 -0300] info [webmaild] 187.82.244.164 - teste@domain.com.br "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN webmaild: user password incorrect
Code: Select all
# grep 187.82.244.164 /var/log/lfd.log
Mar 30 09:29:15 homer lfd[3049]: (cpanel) Failed cPanel login from 187.82.244.164 (BR/Brazil/-/-/164.244.82.187.isp.timbrasil.com.br/[AS26615 Tim Celular S.A.]): 3 in the last 3600 secs - *Blocked in csf* [LF_CPANEL]
So the problem would appears to be with your configuration.
Pedro
Junior Member
Posts: 4
Joined: 29 Mar 2018, 15:48


Hello,
It turns out that it is set equal sreenath v, but still it is as if it was not active
Pedro
Junior Member
Posts: 4
Joined: 29 Mar 2018, 15:48


Hello sreenath_v,

I do not know if you also work with cPanel, but I have managed to solve my problem and maybe I can solve or help solve your problem.

I have identified that the following parameters are not configured in the csf.conf file.

LF_CPANEL = ""
LF_CPANEL_PERM = ""

And the directories regarding the LOGS that I believe the CSF make their consultations in order to effect the blockades.

in my case:

CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log"

The lack of these parameters is occurring in the version of csf for centos7

I hope it helps.
ForumAdmin
Moderator
Posts: 1432
Joined: 01 Oct 2008, 09:24


If you are missing those parameters in your csf.conf then you have not installed the cPanel version of csf but the generic version. If you edit /etc/csf/csf.conf and set GENERIC to "0" and then run "csf -uf" it should install the correct version of csf. This usually happens if you install csf before installing cPanel.
7 posts Page 1 of 1