The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF/LFD doesn't trap "older" cppop failures?

Discussion in 'Security' started by santrix, May 9, 2010.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    OK... I'm not a history expert with CSF/LFD, but the statement next to the POP3 login failure, specifically:

    # [*]Enable login failure detection of courier pop3 connections. This will not
    # trap the older cppop daemon
    LF_POP3D = 5
    LF_POP3D_PERM = 600

    Has confused me... The only POP3 daemon that is supported (that I can see) via the standard WHM interface is cppop, and I am running the latest update of the Release tree.

    I am getting loads of lame attempts at logging into pop3 which are being ignored, or so it seems, by LFD. The above settings shouldbe temp banning this IP after the 5th failure...

    My other relevant settings are:

    LF_TRIGGER = 10
    LF_TRIGGER_PERM = 600

    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=budd, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bridgette, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryce, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryson, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brian, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=candy, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brianna, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=buy, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=calvin, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brent, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=career, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=caesar, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=christian, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=claire, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]

    and so on...

    Even the old APF/BFD combo used to pick up issues like this... is there a way around this?

    Steve
     
  2. JordiCS

    JordiCS Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Catalonia, EU
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not sure this is the reason your CSF/LFD is not working as expected, but your settings are not right and maybe they are messing things. If you enable login failure detection for especific applications, each of them with their own values, then you must set LF_TRIGGER = 0. In fact LF_POP3D = 5 and LF_TRIGGER = 10 (or any value different from 0) are not compatibles.

    As explained on CSF configuration interface:

    # The following[*] triggers are application specific. If you set LF_TRIGGER to
    # "0" the value of each trigger is the number of failures against that
    # application that will trigger lfd to block the IP address
    #
    # If you set LF_TRIGGER to a value greater than "0" then the following[*]
    # application triggers are simply on or off ("0" or "1")

    My settings are

    LF_TRIGGER = 0

    LF_POP3D = 10
    LF_POP3D_PERM = 3600

    and in fact CSF is banning an IP for an hour after LFD detects 10 pop login failures from that IP.

    Regards,
     
    #2 JordiCS, May 9, 2010
    Last edited: May 9, 2010
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Your LF_TRIGGER should be ZERO (0) if you are wanting to setup temporary IP bans in the other sections

    I suppose it wouldn't hurt to mention that this isn't a support forum for CSF/LFD even though commonly used alongside Cpanel. You may want to go to ConfigServer Services for support on this.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    cppop refers to an older POP3 service that cPanel used to provide. It is not compatible with the Maildir format and hasn't been maintained in years. There are still vestiges of it in the UI. I believe these are finally cleared out in 11.25.1.

    Modern cPanel systems will use either Courier or Dovecot to provide the POP3 service.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
Loading...

Share This Page