Cannot login to webmail from specific IP's

[salgeras]

Hello to all!

Sorry if this question has already been asked, I did a lot of searching and googling, but couldn't solve this problem. Feel free to point me to any link. My WHM version is 11.32.3 (build 21), running on Centos 6.3. Using Dovecot and Exim. In advance, sorry for long post, I'm trying to give as much info as I can

Two weeks ago one of our client's cPanel account has been hacked, among other things spammers used it for emails and put us on blacklists. After resolving that issue, I spent some time hardening my server, changing security options in "Tweak Settings" and "Exim configuration". Among other things, I enabled RBL checks. Now, I'm facing another problem:

Several clients have reported that they cannot login to Webmail or email clients. They can reach our server and login form, but after inserting correct u/p they receive "Login failed. Wrong user/password"-like error. Using the same credentials, I can login with no problems (note: I'm loggin in from totally diffrent IP range). These are the lines from logs:

maillog:
-----------
Jul 20 07:24:23 creator dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<office@xx.com>, method=PLAIN, rip=109.x.x.x, lip=88.x.x.x, TLS

exim_mainlog shows that email are successfully sent/delivered:
---------
2012-07-20 12:32:21 1SsAVR-00024W-8p => office <office@xx.com> R=virtual_user T=virtual_userdelivery
2012-07-20 12:32:21 1SsAVR-00024W-8p Completed

exim_rejectlog:
--------
2012-07-20 08:53:08 dovecot_plain authenticator failed for ([127.0.0.1]) [109.x.x.x]:29120: 535 Incorrect authentication data (set_id=office@xx.com)

And, yes - their IP 109.x.x.x is blacklisted in Barracuda and several others. So, as far as I see, RBLs are doing just fine

Anyway, in order to prevent clients from leaving us, I've decided to remove all the security measures I made, disabling RBL as well. Their IP is not listed in firewall/hosts.deny. But, they still cannot login to webmail, the same Auth error and log entries.

Can you give me some advice, what else and more to do? Did I miss some security options?

Thank you in advance!
Best regards!

[johnny2k]

I have the same problem. How did you solve? I talked to Barracuda Central to remove my ip from blacklist. I'm waiting to see if I can now access the webmail. Obviously username and password are correct. With a different IP is accessed regularly webmail. Some information about this anomaly? Thank you.

[cPanelTristan]

Hello,

Do you happen to have CSF or cPHulk Brute Force Protection enabled? If you do, check /var/log/lfd.log to see if it is temporarily blocking the IP. For cPHulk, check the logs in WHM > cPHulk Brute Force Protection if it might be locking out the account during that time period.

You can also check their IP in command line for cPHulk using:

Code:

mysql -e "select * from cphulkd.brutes" | grep IP#

Please replace IP# with the client's IP number. You might also check the blacklist:

Code:

mysql -e "select * from cphulkd.blacklist" | grep IP#

During troubleshooting, you may also wish to disable CSF and/or cPHulk Brute Force Protection to see the results for their login attempts.

Thanks!