csf/lfd not blocking failed attempts on cPanel webmaild logins

[jcx]

Hi!

I'm having a bit of an issue with csf/lfd blocking cPanel webmaild logins. I just checked my log in /var/local/cpanel/log/login_log and there's hundreds if not thousands of attempts to login to accounts on the server which haven't been picked up by LFD (and subsequently blocked by CSF)

I'm wondering how I would go about adding these entries to be scanned by LFD?

The entries look like this:

[2019-10-18 00:21:59 +0100] info [webmaild] 127.0.0.95 - user@example.com "GET / HTTP/1.1" FAILED LOGIN webmaild: user password hash is missing from system (user probably does not exist).

Is there a way to scan this file for IPs and add them to CSF (in a batch now) and then continue scanning it in the future?

Kind regards,
Jess

[jcx]

Alright, I think I figured this out... I had some help getting the data already in the file into the blocklist with awk, sort grep and cut...

So I've added this to the regex.custom.pm file in /etc/csf

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\[.*\] info \[webmaild\] (\d+\.\d+\.\d+\.\d+) - .* FAILED LOGIN webmaild: .*/)) {
                return ("Failed webmaild login from",$1,"webmaildfailure","5","1","1");
        }

And added:

Code: Select all

CUSTOM1_LOG = "/usr/local/cpanel/logs/login_log"

to csf.conf in /etc/csf

I'll monitor it for a while and see if this works, though i'm not sure why CSF/LFD isn't detecting failed webmaild logins in the first place....

Regards,
Jess

[jcx]

After testing for a little while, it seems to work, however it's a little slow.

If I've got the number of block attempts set at say 5, it will actually allow about 8 through before the block becomes active.

I really think someone from ConfigServer needs to check to see if there's a problem with the latest version so that people don't find out the way I did... it panicked me to the point where I was shaking. One IP in particular made about 1700 attempts at brute forcing different accounts.

I would have never have noticed were it not for getting information together to update the privacy policies for GDPR compliance and making sure that logs are only stored for the appropriate length of time. I suppose it's a coarse reminder that you need to make sure security products are actually working with testing, rather than just relying on a green box saying it's running... It might not be working as intended.

Kind regards,
Jess

[ForumAdmin]

We're unable to replicate this, apart from the IP you have listed in your logs is a localhost one 127.0.0.95, which csf will not block. If that is changed to an public IP address the log file regex triggers as expected.

You are most likely seeing a local IP if you have WHM > Tweak Settings > Service subdomains, enabled. This is a known security risk for this very reason and is why a warning is issued for it in the csf server report.

[jcx]

Hiya,

I anonymised the IP, it's an external one in the actual log-files.... hmm. If you can't replicate it, I wonder what's going on with my configuration.... everything else is working fine (cpanel login blocks, SSHD, mod_security)... just not webmaild until I added that custom regex to to the custom file.

I don' have proxy domains enabled, the only things in the CSF "Check Server Security" thing that are highlighted are "Consider using OSM", "Change SSH Standard Port", "Check reset password for sub-accounts" and "Check name-servers".

I'm running CloudLinux 7..7 with kernel 3.10.0-962.3.2.lve1.5.26.4.el7.x86_64.

I've also got cxs enabled (via ModSecurity, and real time file watching), as well as the OSWAP default rules and Comodo's WAF ruleset too...

Kind regards,
Jess