csf / lfd keeps blocking pop3 users

r00t pAsSw0rd

Active Member
Sep 14, 2006
32
0
156
xxx.xxx.105.159 # lfd: 5 (pop3d) login failures from xxx.xxx.105.159 - Thu Nov 2 23:37:51 2006

This has happened numerous times to this one person. Why is that? The person is not failing to login to pop3 5 times at all.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I'm hoping Chirpy will add a feature so we can automatically whitelist all authenticated sites - from the list in /etc/relayhosts. That is, these people are going to be my legitimate users and I don't want them blocked.
 
Last edited:

cpanelinfoseeker

Well-Known Member
Oct 25, 2002
325
3
168
NE Illinois
cPanel Access Level
Root Administrator
First, check your log files. Every user that has been blocked on my server has had the 5 login attampts in the last 300 seconds. Not one was a false ban.

Second, If you do not want that ip banned, copy the IP address that was banned and add it to your "FIREWALL ALLOW IPs" and they will not be banned in the future.

This feature has saved me already!

Ron
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
The most common reason for this is if you've buggered up /etc/syslog.conf by repeatedly running /scripts/fixrelayd - make sure you don't have the duplicate line problem at the bottom of syslog.conf and if you have remove them and then restart syslog.

Brian, I'll look at adding that to the wishlist - however there's always the concern that compromised client PC's could be trying to hack into the server.
 

kernow

Well-Known Member
Jul 23, 2004
995
42
178
cPanel Access Level
Root Administrator
AFAIK /scripts/fixrelayd has never been run, i didn't even know that script existed. ......... But thanks, i did find a duplicate of this line and removed it:
#local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Perhaps a test for a double line in syslog.conf could be added at install time? I know it's tricky as there may be two lines doing different things to the messages, so perhaps it should be a warning unless the lines are duplicate?

Thanks for adding the /etc/relayhosts wish - I'm prepared to take that risk as I know my clients well - it might not make sense for others, so should be a config option. Since installing csf+lfd I've had about 3-4 clients booked, after a few days I just manually added the contents of /etc/relayhosts to csf.allow and I was fine :)