Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF blocked IP tries again

Discussion in 'Security' started by keat63, May 17, 2018 at 5:28 AM.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    941
    Likes Received:
    32
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I have a post open on the CSF forum, but I guess CSF devs don't monitor that forum as i've never seen an official answer, so I'm posting the same on here to see if anyone can explain.


    I see in my logs a small number of failed logins from an IP, which was then blocked in CSF at 00:04am

    xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018

    However, If I look in my exim reject log, I can see that the logins continued after this time.
    How could this happen ??

    2018-05-14 00:04:46 dovecot_login authenticator failed for xxx.xxx.xxx.xx.static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:54567: 535 Incorrect authentication data

    2018-05-14 00:07:29 dovecot_login authenticator failed for xxx.xxx.xxx.xx..static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:55419: 535 Incorrect authentication data
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,214
    Likes Received:
    1,757
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @keat63,

    The LFD output you provided shows a failed SMTP authentication attempt, but I don't see anything that shows the IP address was blocked at the firewall level. Can you check to see if that IP address was blocked?

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    941
    Likes Received:
    32
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    As my server is work related, we only host our own sites.
    I have about 20 users, none of whom use webmail or mail outside of the office.
    So exim logins are restricted to a single failure, and the offending IP should be added to CSF.


    xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018

    This line was taken directly from CSF blocklist.
    /etc/csf/csf.deny

    CSF added the IP to the blocklist at 00:04:44, but as can be seen from exim log, the logins continued.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,214
    Likes Received:
    1,757
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @keat63,

    If ConfigServer does not respond to your support request, you may want to consider using cPHulk Brute Force Protection instead or in addition to LFD/CSF:

    cPHulk Brute Force Protection - Version 70 Documentation - cPanel Documentation

    The following cPHulk options could help replace or supplement that feature:

    Block IP addresses at the firewall level if they trigger brute force protection
    Command to Run When an IP Address Triggers a One-Day Block

    Thank you.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    941
    Likes Received:
    32
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I only require log in to email, ftp or cpanel etc from the UK.
    Maybe a different country onbly when a mobile phone/tablet user goes on holiday.

    Would there be any implications to having CPHULK block every country other than the UK.
    Would this break anything else, or add any load ?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,214
    Likes Received:
    1,757
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    That's acceptable, but just note that anyone attempting to login to one of the monitored services would need to use a UK-based IP address. For instance, that could lead to login failures if any of your customers use a third-party service to authenticate their email account (E.g. customers that setup user@domain.tld in Gmail). You'd need to whitelist the IP address ranges of any such mail providers.

    Regarding the performance, here's a quote from a recent thread on that topic:

    Thank you.
     
Loading...

Share This Page