Failed imap logins not being blocked csf v14.19

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
philh
Junior Member
Posts: 14
Joined: 14 Aug 2018, 11:59

Failed imap logins not being blocked csf v14.19

Post by philh »

Since the upgrade to 14.19, repeated failed imapd logins in maillog are no longer getting blocked.
For example, the following (obfuscated) maillog entries did not result in a block, which they would have in earlier versions:

Code: Select all

Jul 30 23:09:04 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 8 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<8TJlj7sBiPRRsvAT>
Jul 30 23:09:16 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 12 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<dMPbj7sBoPRRsvAT>
Jul 30 23:09:16 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 12 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<Ktjbj7sBofRRsvAT>
Jul 30 23:09:25 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<OQ7kkLsBqfRRsvAT>
Jul 30 23:09:29 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<IFAdkbsBq/RRsvAT>
Jul 30 23:09:29 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<5j8dkbsBqvRRsvAT>
Jul 30 23:09:36 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<vUCPkbsBwvRRsvAT>
Jul 30 23:09:40 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<LW3IkbsB8vRRsvAT>
Jul 30 23:09:44 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=</pUFkrsB8/RRsvAT>
Jul 30 23:09:48 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<dBpCkrsB9PRRsvAT>
...
Not sure why this is, since the entries are picked up by the new amended dovecot regex.

We have not changed any settings in csf.conf since the upgrade. The relevant settings are:
LF_INTERVAL = "7200"
LF_IMAPD = "5"
LF_IMAPD_PERM = "1"

CentOS Linux release 7.9.2009
cPanel 110.0.8
dovecot 2.3.19.1
Top
philh
Junior Member
Posts: 14
Joined: 14 Aug 2018, 11:59

Re: Failed imap logins not being blocked csf v14.19

Post by philh »

I created a custom rule containing the regex copied as-is from RegexMain.pm and this successfully blocks offending IPs.

As far as we can see, all other types of blocking are working correctly.
Top
Post Reply

Return to “Report Bugs (csf)”