EchoHost

Well-Known Member
Jul 27, 2003
52
0
156
Today my server started going extremly slowly and when I went to check it out it turned out that there were a ton of instances of cppop all from a single IP flood. 1000+ instances. In the tweak settings I have time per hour set to 60 and prevent pop3 flood enabled yet I had 1000+ isntances of cppop started. It's only when I banned the IP that the server returned back to normal.

Furthermore it seemed like these cppop were handing around still processing so when I pulled up maillog I found entries such as this.
Jun 27 16:14:15 server1 cpanelpop[29499]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:15 server1 cpanelpop[29500]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:15 server1 cpanelpop[29501]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:16 server1 cpanelpop[29704]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.142
Jun 27 16:14:16 server1 cpanelpop[29629]: User not found user=kirk homedir= passwd=/etc//shadow
Jun 27 16:14:16 server1 cpanelpop[29630]: User not found user=johny homedir= passwd=/etc//shadow
Jun 27 16:14:16 server1 cpanelpop[29503]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:16 server1 cpanelpop[29705]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.150
Jun 27 16:14:16 server1 cpanelpop[29504]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:16 server1 cpanelpop[29706]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.141
Jun 27 16:14:16 server1 cpanelpop[29631]: User not found user=joanne homedir= passwd=/etc//shadow
Jun 27 16:14:16 server1 cpanelpop[29707]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.130
Jun 27 16:14:16 server1 cpanelpop[29505]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:16 server1 cpanelpop[29632]: User not found user=juliet homedir= passwd=/etc//shadow
Jun 27 16:14:16 server1 cpanelpop[29708]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.142
Jun 27 16:14:17 server1 cpanelpop[29506]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29709]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.133
Jun 27 16:14:17 server1 cpanelpop[29507]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29508]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29710]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.151
Jun 27 16:14:17 server1 cpanelpop[29712]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.150
Jun 27 16:14:17 server1 cpanelpop[29509]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29510]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29717]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.128
Jun 27 16:14:17 server1 cpanelpop[29511]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29512]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29718]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.151
Jun 27 16:14:17 server1 cpanelpop[29513]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:17 server1 cpanelpop[29719]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.131
Jun 27 16:14:18 server1 cpanelpop[29519]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29638]: User not found user=johnson homedir= passwd=/etc//shadow
Jun 27 16:14:18 server1 cpanelpop[29720]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.149
Jun 27 16:14:18 server1 cpanelpop[29521]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29721]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.130
Jun 27 16:14:18 server1 cpanelpop[29722]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.146
Jun 27 16:14:18 server1 cpanelpop[29522]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29723]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.144
Jun 27 16:14:18 server1 cpanelpop[29523]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29724]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.138
Jun 27 16:14:18 server1 cpanelpop[29524]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29726]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.151
Jun 27 16:14:18 server1 cpanelpop[29525]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29727]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.149
Jun 27 16:14:18 server1 cpanelpop[29526]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29728]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.131
Jun 27 16:14:18 server1 cpanelpop[29527]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29730]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.140
Jun 27 16:14:18 server1 cpanelpop[29528]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29731]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.133
Jun 27 16:14:18 server1 cpanelpop[29529]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:18 server1 cpanelpop[29732]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.130
Jun 27 16:14:19 server1 cpanelpop[29733]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.148
Jun 27 16:14:19 server1 cpanelpop[29530]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29736]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.143
Jun 27 16:14:19 server1 cpanelpop[29531]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29532]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29737]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.141
Jun 27 16:14:19 server1 cpanelpop[29738]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.138
Jun 27 16:14:19 server1 cpanelpop[29533]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29640]: User not found user=kristen homedir= passwd=/etc//shadow
Jun 27 16:14:19 server1 cpanelpop[29739]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.135
Jun 27 16:14:19 server1 cpanelpop[29534]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29740]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.128
Jun 27 16:14:19 server1 cpanelpop[29741]: Connection from host=216.135.37.176 to ip=xxx.xxx.30.133
Jun 27 16:14:19 server1 cpanelpop[29535]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
Jun 27 16:14:19 server1 cpanelpop[29537]: Session Closed host=216.135.37.176 ip= user= realuser= totalxfer=105
How do you prevent something like this?
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
Unfortunately there are still many individuals running their servers on the outdated mbox format :/
I am starting to see that more and more, especially during the cp11 upgrades. I am just glad I did the conversion back in 2004-2005 whenever it was!! ha

as for protection for brute force attacks and many other protections check out Chirpy's CSF/LFD
 

EchoHost

Well-Known Member
Jul 27, 2003
52
0
156
I am starting to see that more and more, especially during the cp11 upgrades. I am just glad I did the conversion back in 2004-2005 whenever it was!! ha

as for protection for brute force attacks and many other protections check out Chirpy's CSF/LFD
I'm surprised it doesn't come standard with courier then. This server is about a year and a half old and I had configservers set it up once I got it but I'm a bit dissapointed that we never find out from cpanel that using cppop is dangerous.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
I'm surprised it doesn't come standard with courier then. This server is about a year and a half old and I had configservers set it up once I got it but I'm a bit dissapointed that we never find out from cpanel that using cppop is dangerous.
it's all over the forums. just search for maildir or mbox or convert2maildir
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
Courier-imap is installed by default now and if you're running cPanel v11 then the daily upcp email includes a warning if you still run the deprecated cppop advising to migrate to the new configuration.

Word is that cPanel v12 will drop support for cppop and force an update to courier-imap - I hope it does.
 

claudio

Well-Known Member
Jul 31, 2004
201
0
166
i was just wondering that having an old server, a populated one, with some serious companys using neomail and old cppop format (as the name says cp-pop or cpanel pop i mean) is not a real sin

i do have one cpanel11 still with cppop because i cannot simply impose horde or squirell over neomail or other imap based webmails over pop3 ones

so my server is suffering this POP3 FLOOD ATTACKS

Mar 18 20:56:08 main cpanelpop[8973]: Connection from host=141.157.27.182 to ip=x.x.x.1
Mar 18 20:56:09 main cpanelpop[8993]: Connection from host=141.157.27.182 to ip=x.x.x.2
Mar 18 20:56:10 main cpanelpop[8980]: Connection from host=141.157.27.182 to ip=x.x.x.3

as i could also realise inside of Tweak Settings there is no more the pop3 limit per hour that users could check their mailboxes, how can i manually configure this?

in fact this guy cannot connect because he is trying to guess the user and password and he is not getting this

is there any place to avoid this i mean manually configure cppop ?
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
i was just wondering that having an old server, a populated one, with some serious companys using neomail and old cppop format (as the name says cp-pop or cpanel pop i mean) is not a real sin

i do have one cpanel11 still with cppop because i cannot simply impose horde or squirell over neomail or other imap based webmails over pop3 ones

so my server is suffering this POP3 FLOOD ATTACKS

Mar 18 20:56:08 main cpanelpop[8973]: Connection from host=141.157.27.182 to ip=x.x.x.1
Mar 18 20:56:09 main cpanelpop[8993]: Connection from host=141.157.27.182 to ip=x.x.x.2
Mar 18 20:56:10 main cpanelpop[8980]: Connection from host=141.157.27.182 to ip=x.x.x.3

as i could also realise inside of Tweak Settings there is no more the pop3 limit per hour that users could check their mailboxes, how can i manually configure this?

in fact this guy cannot connect because he is trying to guess the user and password and he is not getting this

is there any place to avoid this i mean manually configure cppop ?
chirpy's CSF/LFD takes care of all of that :) LOL