The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF/LFD doesn't trap "older" cppop failures?

Discussion in 'Security' started by santrix, May 9, 2010.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    68
    OK... I'm not a history expert with CSF/LFD, but the statement next to the POP3 login failure, specifically:

    # [*]Enable login failure detection of courier pop3 connections. This will not
    # trap the older cppop daemon
    LF_POP3D = 5
    LF_POP3D_PERM = 600

    Has confused me... The only POP3 daemon that is supported (that I can see) via the standard WHM interface is cppop, and I am running the latest update of the Release tree.

    I am getting loads of lame attempts at logging into pop3 which are being ignored, or so it seems, by LFD. The above settings shouldbe temp banning this IP after the 5th failure...

    My other relevant settings are:

    LF_TRIGGER = 10
    LF_TRIGGER_PERM = 600

    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=budd, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bridgette, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryce, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryson, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brian, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=candy, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brianna, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=buy, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=calvin, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brent, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=career, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=caesar, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=christian, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=claire, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]

    and so on...

    Even the old APF/BFD combo used to pick up issues like this... is there a way around this?

    Steve
     
    #1 santrix, May 9, 2010
  2. JordiCS

    JordiCS Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Catalonia, EU
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not sure this is the reason your CSF/LFD is not working as expected, but your settings are not right and maybe they are messing things. If you enable login failure detection for especific applications, each of them with their own values, then you must set LF_TRIGGER = 0. In fact LF_POP3D = 5 and LF_TRIGGER = 10 (or any value different from 0) are not compatibles.

    As explained on CSF configuration interface:

    # The following[*] triggers are application specific. If you set LF_TRIGGER to
    # "0" the value of each trigger is the number of failures against that
    # application that will trigger lfd to block the IP address
    #
    # If you set LF_TRIGGER to a value greater than "0" then the following[*]
    # application triggers are simply on or off ("0" or "1")

    My settings are

    LF_TRIGGER = 0

    LF_POP3D = 10
    LF_POP3D_PERM = 3600

    and in fact CSF is banning an IP for an hour after LFD detects 10 pop login failures from that IP.

    Regards,
     
    #2 JordiCS, May 9, 2010
    Last edited: May 9, 2010
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    Your LF_TRIGGER should be ZERO (0) if you are wanting to setup temporary IP bans in the other sections

    I suppose it wouldn't hurt to mention that this isn't a support forum for CSF/LFD even though commonly used alongside Cpanel. You may want to go to ConfigServer Services for support on this.
     
    #3 Spiral, May 9, 2010
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,493
    Likes Received:
    31
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    cppop refers to an older POP3 service that cPanel used to provide. It is not compatible with the Maildir format and hasn't been maintained in years. There are still vestiges of it in the UI. I believe these are finally cleared out in 11.25.1.

    Modern cPanel systems will use either Courier or Dovecot to provide the POP3 service.
     
    #4 cPanelKenneth, May 12, 2010
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,618
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
    #5 Infopro, Jul 30, 2010
(You must log in or sign up to post here.)
Loading...
Similar Threads - doesn't trap older
  1. Sattar

    Forwarder doesn't work when subject is empty

    Sattar, Aug 17, 2017 at 3:48 AM, in forum: E-mail Discussions
    Replies:
    1
    Views:
    31
    cPanelMichael
    Aug 17, 2017 at 11:24 AM
  2. uadm

    ajax crawler doesn't work

    uadm, Aug 15, 2017 at 3:14 PM, in forum: General Discussion
    Replies:
    3
    Views:
    36
    cPanelMichael
    Aug 16, 2017 at 10:59 AM
  3. DennisMidjord

    'Require host' doesn't work

    DennisMidjord, Aug 10, 2017, in forum: General Discussion
    Replies:
    13
    Views:
    96
    rpvw
    Aug 11, 2017
  4. DennisMidjord

    Some changes from MultiPHP INI Editor doesn't take effect

    DennisMidjord, Aug 4, 2017, in forum: EasyApache
    Replies:
    3
    Views:
    83
    cPanelMichael
    Aug 7, 2017
  5. HowardE

    Backup to Amazon S3 Doesn't Obey Retention Rules

    HowardE, Jul 31, 2017, in forum: Data Protection
    Replies:
    11
    Views:
    160
    HowardE
    Aug 7, 2017

Share This Page