Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CSF/LFD doesn't trap "older" cppop failures?

Discussion in 'Security' started by santrix, May 9, 2010.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    68
    OK... I'm not a history expert with CSF/LFD, but the statement next to the POP3 login failure, specifically:

    # [*]Enable login failure detection of courier pop3 connections. This will not
    # trap the older cppop daemon
    LF_POP3D = 5
    LF_POP3D_PERM = 600

    Has confused me... The only POP3 daemon that is supported (that I can see) via the standard WHM interface is cppop, and I am running the latest update of the Release tree.

    I am getting loads of lame attempts at logging into pop3 which are being ignored, or so it seems, by LFD. The above settings shouldbe temp banning this IP after the 5th failure...

    My other relevant settings are:

    LF_TRIGGER = 10
    LF_TRIGGER_PERM = 600

    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=budd, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bridgette, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryce, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=bryson, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brian, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=candy, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:13 blade8 pop3d: LOGIN FAILED, user=brooklyn, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brianna, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=buy, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=calvin, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=bruce, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=brent, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=byron, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=button, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=career, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:19:14 blade8 pop3d: LOGIN FAILED, user=caesar, ip=[::ffff:81.149.149.117]
    May 8 05:19:14 blade8 pop3d: Maximum connection limit reached for ::ffff:81.149.149.117
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=christian, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: LOGIN FAILED, user=claire, ip=[::ffff:81.149.149.117]
    May 8 05:29:19 blade8 pop3d: Connection, ip=[::ffff:81.149.149.117]

    and so on...

    Even the old APF/BFD combo used to pick up issues like this... is there a way around this?

    Steve
     
    #1 santrix, May 9, 2010
  2. JordiCS

    JordiCS Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Catalonia, EU
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not sure this is the reason your CSF/LFD is not working as expected, but your settings are not right and maybe they are messing things. If you enable login failure detection for especific applications, each of them with their own values, then you must set LF_TRIGGER = 0. In fact LF_POP3D = 5 and LF_TRIGGER = 10 (or any value different from 0) are not compatibles.

    As explained on CSF configuration interface:

    # The following[*] triggers are application specific. If you set LF_TRIGGER to
    # "0" the value of each trigger is the number of failures against that
    # application that will trigger lfd to block the IP address
    #
    # If you set LF_TRIGGER to a value greater than "0" then the following[*]
    # application triggers are simply on or off ("0" or "1")

    My settings are

    LF_TRIGGER = 0

    LF_POP3D = 10
    LF_POP3D_PERM = 3600

    and in fact CSF is banning an IP for an hour after LFD detects 10 pop login failures from that IP.

    Regards,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 JordiCS, May 9, 2010
    Last edited: May 9, 2010
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    8
    Trophy Points:
    193
    Your LF_TRIGGER should be ZERO (0) if you are wanting to setup temporary IP bans in the other sections

    I suppose it wouldn't hurt to mention that this isn't a support forum for CSF/LFD even though commonly used alongside Cpanel. You may want to go to ConfigServer Services for support on this.
     
    #3 Spiral, May 9, 2010
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,563
    Likes Received:
    43
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    cppop refers to an older POP3 service that cPanel used to provide. It is not compatible with the Maildir format and hasn't been maintained in years. There are still vestiges of it in the UI. I believe these are finally cleared out in 11.25.1.

    Modern cPanel systems will use either Courier or Dovecot to provide the POP3 service.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelKenneth, May 12, 2010
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,479
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 Infopro, Jul 30, 2010
(You must log in or sign up to post here.)
Loading...
Similar Threads - doesn't trap older
  1. proweb01

    Account doesn't use shared IP

    proweb01, Sep 20, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    78
    cPanelMichael
    Sep 21, 2018
  2. Benjamin D.

    Potential reduced AutoSSL coverage for subdomain that doesn't exist?

    Benjamin D., Sep 16, 2018, in forum: Security
    Replies:
    4
    Views:
    167
    Benjamin D.
    Sep 23, 2018
  3. Nikolin

    Hostname/IP doesn't match certificate's altnames

    Nikolin, Jul 26, 2018, in forum: E-mail Discussion
    Replies:
    7
    Views:
    398
    cPanelMichael
    Aug 16, 2018
  4. Benjamin D.

    SOLVED AutoSSL doesn't pick up my hostname?

    Benjamin D., Jul 25, 2018, in forum: Security
    Replies:
    2
    Views:
    191
    cPanelMichael
    Jul 26, 2018
  5. IRZQ88

    In Outlook server doesn't support the encryption method specified error

    IRZQ88, Jul 3, 2018, in forum: E-mail Discussion
    Replies:
    9
    Views:
    704
    cPanelLauren
    Jul 4, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice