authenticator failed

popeye · Jul 5, 2013

Hi does anyone know why this keeps happening below ? one of my customers keeps getting blocked

Time: Fri Jul 5 20:20:46 2013 +0100
IP: 000.000.000.00 (GB/United Kingdom/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2013-07-05 20:05:47 dovecot_plain authenticator failed for ([00.000.000.00]) [000.000.000.00]:44737: 535 Incorrect authentication data ([email protected],com)

cPanelMichael · Jul 5, 2013

Hello

Check to see if their email account is listed in the "Login/Brute History Report" within "WHM Home » Security Center » cPHulk Brute Force Protection". It's possible there have been brute force attempts on their email account or several failed login attempts that have resulted in it getting blocked by cPhulkd.

Thank you.

popeye · Jul 5, 2013

Hi when i look in cPHulk there is only one in login / brute force history report and when i look in Black List (Rejected IP List) its empty.

quietFinn · Jul 5, 2013

popeye said:
Hi does anyone know why this keeps happening below ? one of my customers keeps getting blocked

Time: Fri Jul 5 20:20:46 2013 +0100
IP: 000.000.000.00 (GB/United Kingdom/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2013-07-05 20:05:47 dovecot_plain authenticator failed for ([00.000.000.00]) [000.000.000.00]:44737: 535 Incorrect authentication data ([email protected],com)

That message is from CSF (ConfigServer Firewall).
If you go to WHM-> Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> Login Failure Blocking and Alerts
you see that you have:
LF_SMTPAUTH = 5
LF_SMTPAUTH_PERM = 1

which means that after 5 failed logins from an IP the IP is blocked permanently.

popeye · Jul 5, 2013

Hi how do i disable the block ? to stop customers getting blocked

Does this mean the customer as some email settings wrong ?

quietFinn · Jul 5, 2013

popeye said:
Hi how do i disable the block ? to stop customers getting blocked

if you want to disable SMTP failure detections you set:
LF_SMTPAUTH = 0

popeye said:
Does this mean the customer as some email settings wrong ?

Most likely yes.

popeye · Jul 5, 2013

I thought it would be there settings thanks very much for the help.

LDHosting · Jul 6, 2013

popeye said:
I thought it would be there settings thanks very much for the help.

It may be worth keeping in mind that by disabling that setting, you are also disabling LFD's ability to detect and block brute force attacks on your smtp server. Unless you have something else running to do this, such as cPHulk, bots may be able to obtain mailbox passwords via brute force attacks.

popeye · Jul 6, 2013

Yes i have cPHulk but also never disabled it after because its got to be the customers settings that are incorrect.

Thread starter	Similar threads	Forum	Replies	Date
U	SOLVED Switch user from normal user to root failed	Security	2	May 14, 2023
G	SOLVED MD5 checksum failed on some files. Validation required.	Security	2	May 3, 2023
P	lfd on example.com SYSLOG Check Failed - Problem with logging.	Security	4	Feb 27, 2023
A	Multiple dovecot_login authenticator failed	Security	2	Jan 21, 2023
E	Two factor authentication with Google Authenticator Delay issues	Security	3	Jul 6, 2016

Search

Search

authenticator failed

popeye

Well-Known Member

cPanelMichael

Administrator

popeye

Well-Known Member

quietFinn

Well-Known Member

popeye

Well-Known Member

quietFinn

Well-Known Member

popeye

Well-Known Member

LDHosting

Well-Known Member

popeye

Well-Known Member