The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cannot login to webmail from specific IP's

Discussion in 'E-mail Discussions' started by salgeras, Jul 20, 2012.

  1. salgeras

    salgeras Registered

    Joined:
    Jul 20, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello to all!

    Sorry if this question has already been asked, I did a lot of searching and googling, but couldn't solve this problem. Feel free to point me to any link. My WHM version is 11.32.3 (build 21), running on Centos 6.3. Using Dovecot and Exim. In advance, sorry for long post, I'm trying to give as much info as I can ;)

    Two weeks ago one of our client's cPanel account has been hacked, among other things spammers used it for emails and put us on blacklists. After resolving that issue, I spent some time hardening my server, changing security options in "Tweak Settings" and "Exim configuration". Among other things, I enabled RBL checks. Now, I'm facing another problem:

    Several clients have reported that they cannot login to Webmail or email clients. They can reach our server and login form, but after inserting correct u/p they receive "Login failed. Wrong user/password"-like error. Using the same credentials, I can login with no problems (note: I'm loggin in from totally diffrent IP range). These are the lines from logs:

    maillog:
    -----------
    Jul 20 07:24:23 creator dovecot: imap-login: Disconnected (auth failed, 3 attempts): user=<office@xx.com>, method=PLAIN, rip=109.x.x.x, lip=88.x.x.x, TLS

    exim_mainlog shows that email are successfully sent/delivered:
    ---------
    2012-07-20 12:32:21 1SsAVR-00024W-8p => office <office@xx.com> R=virtual_user T=virtual_userdelivery
    2012-07-20 12:32:21 1SsAVR-00024W-8p Completed

    exim_rejectlog:
    --------
    2012-07-20 08:53:08 dovecot_plain authenticator failed for ([127.0.0.1]) [109.x.x.x]:29120: 535 Incorrect authentication data (set_id=office@xx.com)

    And, yes - their IP 109.x.x.x is blacklisted in Barracuda and several others. So, as far as I see, RBLs are doing just fine ;)

    Anyway, in order to prevent clients from leaving us, I've decided to remove all the security measures I made, disabling RBL as well. Their IP is not listed in firewall/hosts.deny. But, they still cannot login to webmail, the same Auth error and log entries.

    Can you give me some advice, what else and more to do? Did I miss some security options?

    Thank you in advance!
    Best regards!
     
  2. johnny2k

    johnny2k Registered

    Joined:
    Aug 4, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I have the same problem. How did you solve? I talked to Barracuda Central to remove my ip from blacklist. I'm waiting to see if I can now access the webmail. Obviously username and password are correct. With a different IP is accessed regularly webmail. Some information about this anomaly? Thank you.
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    Do you happen to have CSF or cPHulk Brute Force Protection enabled? If you do, check /var/log/lfd.log to see if it is temporarily blocking the IP. For cPHulk, check the logs in WHM > cPHulk Brute Force Protection if it might be locking out the account during that time period.

    You can also check their IP in command line for cPHulk using:

    Code:
    mysql -e "select * from cphulkd.brutes" | grep IP#
    Please replace IP# with the client's IP number. You might also check the blacklist:

    Code:
    mysql -e "select * from cphulkd.blacklist" | grep IP#
    During troubleshooting, you may also wish to disable CSF and/or cPHulk Brute Force Protection to see the results for their login attempts.

    Thanks!
     
Loading...

Share This Page