CSF/LFD doesn't trap "older" cppop failures?

S

santrix

Well-Known Member
Nov 30, 2008
229
3
68
OK... I'm not a history expert with CSF/LFD, but the statement next to the POP3 login failure, specifically:

# [*]Enable login failure detection of courier pop3 connections. This will not
# trap the older cppop daemon
LF_POP3D = 5
LF_POP3D_PERM = 600

Has confused me... The only POP3 daemon that is supported (that I can see) via the standard WHM interface is cppop, and I am running the latest update of the Release tree.

I am getting loads of lame attempts at logging into pop3 which are being ignored, or so it seems, by LFD. The above settings shouldbe temp banning this IP after the 5th failure...

My other relevant settings are:

LF_TRIGGER = 10
LF_TRIGGER_PERM = 600

May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=budd, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bridgette, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryce, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryson, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brian, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=candy, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brianna, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=buy, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=calvin, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brent, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=career, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=caesar, ip=[::ffff:81.149.149.117]
May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=christian, ip=[::ffff:81.149.149.117]
May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=claire, ip=[::ffff:81.149.149.117]
May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]

and so on...

Even the old APF/BFD combo used to pick up issues like this... is there a way around this?

Steve
 
J

JordiCS

Well-Known Member
Dec 3, 2003
57
0
156
Catalonia, EU
cPanel Access Level
Root Administrator
Hello,

I'm not sure this is the reason your CSF/LFD is not working as expected, but your settings are not right and maybe they are messing things. If you enable login failure detection for especific applications, each of them with their own values, then you must set LF_TRIGGER = 0. In fact LF_POP3D = 5 and LF_TRIGGER = 10 (or any value different from 0) are not compatibles.

As explained on CSF configuration interface:

# The following[*] triggers are application specific. If you set LF_TRIGGER to
# "0" the value of each trigger is the number of failures against that
# application that will trigger lfd to block the IP address
#
# If you set LF_TRIGGER to a value greater than "0" then the following[*]
# application triggers are simply on or off ("0" or "1")

My settings are

LF_TRIGGER = 0

LF_POP3D = 10
LF_POP3D_PERM = 3600

and in fact CSF is banning an IP for an hour after LFD detects 10 pop login failures from that IP.

Regards,
 
Last edited:
Spiral

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Santrix said:
My other relevant settings are:

LF_TRIGGER = 10
LF_TRIGGER_PERM = 600
Click to expand...
Your LF_TRIGGER should be ZERO (0) if you are wanting to setup temporary IP bans in the other sections

I suppose it wouldn't hurt to mention that this isn't a support forum for CSF/LFD even though commonly used alongside Cpanel. You may want to go to ConfigServer Services for support on this.
 
cPanelKenneth

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
santrix said:
# [*]Enable login failure detection of courier pop3 connections. This will not
# trap the older cppop daemon

Has confused me... The only POP3 daemon that is supported (that I can see) via the standard WHM interface is cppop, and I am running the latest update of the Release tree.
Click to expand...
cppop refers to an older POP3 service that cPanel used to provide. It is not compatible with the Maildir format and hasn't been maintained in years. There are still vestiges of it in the UI. I believe these are finally cleared out in 11.25.1.

Modern cPanel systems will use either Courier or Dovecot to provide the POP3 service.
 
I

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Important cPanel/WHM Version Number Designation Change

Please Note: Important cPanel/WHM Version Number Designation Change

As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)

This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M Very high CPU loads from brute force attempts - CSF/LFD Security 14
A CSF/LFD blocking mail sent on online web form via SMTP Security 3
G LFD keeps failing, now I see that /usr/sbin/csf and lfd have been modified Security 4
R Using Imunify360, but see this message "CSF is installed, but LFD is not running" Security 4
M More about using cPhulk with CSF/LFD together Security 4
Similar threads
Very high CPU loads from brute force attempts - CSF/LFD
CSF/LFD blocking mail sent on online web form via SMTP
LFD keeps failing, now I see that /usr/sbin/csf and lfd have been modified
Using Imunify360, but see this message "CSF is installed, but LFD is not running"
More about using cPhulk with CSF/LFD together
Top Bottom