csf / lfd keeps blocking pop3 users

[r00t pAsSw0rd]

xxx.xxx.105.159 # lfd: 5 (pop3d) login failures from xxx.xxx.105.159 - Thu Nov 2 23:37:51 2006

This has happened numerous times to this one person. Why is that? The person is not failing to login to pop3 5 times at all.

 

[kernow]

Have noticed this ourselves, sometimes only two failed logins will trigure a ban ............ despite lfd being set to 5.

 

[kernow]

Have noticed this ourselves, sometimes only two failed logins will trigure a ban ............ despite lfd being set to 5.
Maybe Chirpy will pop by and have the answer.

 

[brianoz]

I'm hoping Chirpy will add a feature so we can automatically whitelist all authenticated sites - from the list in /etc/relayhosts. That is, these people are going to be my legitimate users and I don't want them blocked.

 

[cpanelinfoseeker]

First, check your log files. Every user that has been blocked on my server has had the 5 login attampts in the last 300 seconds. Not one was a false ban.

Second, If you do not want that ip banned, copy the IP address that was banned and add it to your "FIREWALL ALLOW IPs" and they will not be banned in the future.

This feature has saved me already!

Ron

 

[kernow]

I tried logging into my own account and gave the wrong passowrd twice on purpose, the logs say i got banned for 5 failed login attempts.

 

[chirpy]

The most common reason for this is if you've buggered up /etc/syslog.conf by repeatedly running /scripts/fixrelayd - make sure you don't have the duplicate line problem at the bottom of syslog.conf and if you have remove them and then restart syslog.

Brian, I'll look at adding that to the wishlist - however there's always the concern that compromised client PC's could be trying to hack into the server.

 

[kernow]

AFAIK /scripts/fixrelayd has never been run, i didn't even know that script existed. ......... But thanks, i did find a duplicate of this line and removed it:
#local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog

 

[brianoz]

Perhaps a test for a double line in syslog.conf could be added at install time? I know it's tricky as there may be two lines doing different things to the messages, so perhaps it should be a warning unless the lines are duplicate?

Thanks for adding the /etc/relayhosts wish - I'm prepared to take that risk as I know my clients well - it might not make sense for others, so should be a config option. Since installing csf+lfd I've had about 3-4 clients booked, after a few days I just manually added the contents of /etc/relayhosts to csf.allow and I was fine