The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Client has constant IP blocks when accessing email.

Discussion in 'Security' started by LiamN, Nov 12, 2015.

  1. LiamN

    LiamN Registered

    Joined:
    Nov 12, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canberra
    cPanel Access Level:
    Root Administrator
    I have a client who regularly gets IP blocked by CSF when attempting to access his email. The following are some of the notifications that I have received:

    Code:
    Time:        Fri Nov 13 11:38:42 2015 +1100
    Account:     xxxx@domain.com
    Application: pop3d
    IP:          xx.xxx.xxx.xxx (AU/Australia/-)
    Logins:      61
    Interval:    2297
    Allowable:   60 logins per hour in 3600 second interval
    Flushed in:  1303 seconds
    Code:
    Time:     Thu Nov 12 16:22:56 2015 +1100
    IP:       xx.xxx.xxx.xxx (AU/Australia/CPE-xxx-xxx-x-xxx.lns10.cht.bigpond.net.au)
    Failures: 10 (imapd)
    Interval: 1800 seconds
    Blocked:  Permanent Block (IP match in csf.allow, block may not work)
    
    Log entries:
    
    Nov 12 16:12:19 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<hKeS/FAk9AB8uAhw>
    Nov 12 16:12:26 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<pkfB/FAk9QB8uAhw>
    Nov 12 16:12:27 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<APrd/FAk9gB8uAhw>
    Nov 12 16:12:41 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<z5zm/VAk+AB8uAhw>
    Nov 12 16:22:20 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<AMFtIFEkFgB8uAhw>
    Nov 12 16:22:29 server dovecot: imap-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<HT28IFEkGgB8uAhw>
    Nov 12 16:22:29 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 6 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<Tfu1IFEkGQB8uAhw>
    Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 7 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<Z3e+IVEkHAB8uAhw>
    Nov 12 16:22:47 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<xTwOIlEkHQB8uAhw>
    Nov 12 16:22:54 server dovecot: imap-login: Aborted login (auth failed, 1 attempts in 2 secs): user=<xxxx@domain.com>, method=PLAIN, rip=xx.xxx.xxx.xxx, lip=xx.xxx.xxx.xxx, session=<S3ZxIlEkIQB8uAhw>

    This block winds up preventing him from receiving email on his device until the offending IP is whitelisted in CSF and CPHUlk. This continues to pop up every few months, though, it seems, I'm guessing as his office likely has a non-static IP. I'd obviously rather not keep whitelisting things if his system has been compromised, though, and short of a virus and general security scan of his systems (which I've already suggested) I'm not sure how else to advise him on how to rectify things without just locking him out.

    Alternatively is it possible that this is due to a poor configuration on my end? His is the only one of about 15 accounts on the server to experience this issue, though.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The output suggests this is related to the end user's system. You may need to push the end-user to review their email client or their system to ensure there are no viruses or invalid email configuration settings in their email client.

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    ^^ What Michael said. Most likely they have thunderbird or outlook (or another mail client) configured with an old password, and it's repeatedly trying to refresh their inbox.
     
  4. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The first shows that they have exceeded the maximum allowable sign -ins per hour that you established in the csf configuration (60). You can change that. The second may be from an improperly configured device like a phone but you need the check the offending ip to determine this.
     
Loading...

Share This Page