popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
Hi does anyone know why this keeps happening below ? one of my customers keeps getting blocked


Time: Fri Jul 5 20:20:46 2013 +0100
IP: 000.000.000.00 (GB/United Kingdom/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2013-07-05 20:05:47 dovecot_plain authenticator failed for ([00.000.000.00]) [000.000.000.00]:44737: 535 Incorrect authentication data ([email protected],com)
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

Check to see if their email account is listed in the "Login/Brute History Report" within "WHM Home » Security Center » cPHulk Brute Force Protection". It's possible there have been brute force attempts on their email account or several failed login attempts that have resulted in it getting blocked by cPhulkd.

Thank you.
 

popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
Hi when i look in cPHulk there is only one in login / brute force history report and when i look in Black List (Rejected IP List) its empty.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,066
31
178
Finland
cPanel Access Level
Root Administrator
Hi does anyone know why this keeps happening below ? one of my customers keeps getting blocked


Time: Fri Jul 5 20:20:46 2013 +0100
IP: 000.000.000.00 (GB/United Kingdom/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

2013-07-05 20:05:47 dovecot_plain authenticator failed for ([00.000.000.00]) [000.000.000.00]:44737: 535 Incorrect authentication data ([email protected],com)
That message is from CSF (ConfigServer Firewall).
If you go to WHM-> Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> Login Failure Blocking and Alerts
you see that you have:
LF_SMTPAUTH = 5
LF_SMTPAUTH_PERM = 1

which means that after 5 failed logins from an IP the IP is blocked permanently.
 

popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
Hi how do i disable the block ? to stop customers getting blocked

Does this mean the customer as some email settings wrong ?
 
Last edited:

LDHosting

Well-Known Member
Jan 19, 2008
93
2
58
cPanel Access Level
Root Administrator
I thought it would be there settings thanks very much for the help. :)
It may be worth keeping in mind that by disabling that setting, you are also disabling LFD's ability to detect and block brute force attacks on your smtp server. Unless you have something else running to do this, such as cPHulk, bots may be able to obtain mailbox passwords via brute force attacks.