CSF blocked IP tries again

[keat63]

I have a post open on the CSF forum, but I guess CSF devs don't monitor that forum as i've never seen an official answer, so I'm posting the same on here to see if anyone can explain.


I see in my logs a small number of failed logins from an IP, which was then blocked in CSF at 00:04am

xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018

However, If I look in my exim reject log, I can see that the logins continued after this time.
How could this happen ??

2018-05-14 00:04:46 dovecot_login authenticator failed for xxx.xxx.xxx.xx.static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:54567: 535 Incorrect authentication data

2018-05-14 00:07:29 dovecot_login authenticator failed for xxx.xxx.xxx.xx..static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:55419: 535 Incorrect authentication data

 

[cPanelMichael]

I see in my logs a small number of failed logins from an IP, which was then blocked in CSF at 00:04am

xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018

Hello @keat63,

The LFD output you provided shows a failed SMTP authentication attempt, but I don't see anything that shows the IP address was blocked at the firewall level. Can you check to see if that IP address was blocked?

Thank you.

 

[keat63]

As my server is work related, we only host our own sites.
I have about 20 users, none of whom use webmail or mail outside of the office.
So exim logins are restricted to a single failure, and the offending IP should be added to CSF.


xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018

This line was taken directly from CSF blocklist.
/etc/csf/csf.deny

CSF added the IP to the blocklist at 00:04:44, but as can be seen from exim log, the logins continued.

 

[cPanelMichael]

Hello @keat63,

If ConfigServer does not respond to your support request, you may want to consider using cPHulk Brute Force Protection instead or in addition to LFD/CSF:

cPHulk Brute Force Protection - Version 70 Documentation - cPanel Documentation

The following cPHulk options could help replace or supplement that feature:

Block IP addresses at the firewall level if they trigger brute force protection
Command to Run When an IP Address Triggers a One-Day Block

Thank you.

 

[keat63]

I only require log in to email, ftp or cpanel etc from the UK.
Maybe a different country onbly when a mobile phone/tablet user goes on holiday.

Would there be any implications to having CPHULK block every country other than the UK.
Would this break anything else, or add any load ?

 

[cPanelMichael]

Would there be any implications to having CPHULK block every country other than the UK.
Would this break anything else, or add any load ?

Hello,

That's acceptable, but just note that anyone attempting to login to one of the monitored services would need to use a UK-based IP address. For instance, that could lead to login failures if any of your customers use a third-party service to authenticate their email account (E.g. customers that setup [email protected] in Gmail). You'd need to whitelist the IP address ranges of any such mail providers.

Regarding the performance, here's a quote from a recent thread on that topic:

Quite a bit of work has gone into make sure it performs well. One of the big impediments to adding is sooner was resolving the performance concerns. In the released version, the matching is very fast and has a high-performance cache layer so it shouldn't cause any significant slowdowns.

Thank you.

 

[keat63]

I have no external customers so to speak, only internal office based staff and about 4 mobile phone/tablet email users.
I'm the only one with ssh, ftp access.
I'll give this a go and monitor for the day.