The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf / lfd keeps blocking pop3 users

Discussion in 'General Discussion' started by r00t pAsSw0rd, Nov 3, 2006.

  1. r00t pAsSw0rd

    r00t pAsSw0rd Active Member

    Joined:
    Sep 14, 2006
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    xxx.xxx.105.159 # lfd: 5 (pop3d) login failures from xxx.xxx.105.159 - Thu Nov 2 23:37:51 2006

    This has happened numerous times to this one person. Why is that? The person is not failing to login to pop3 5 times at all.
     
  2. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Have noticed this ourselves, sometimes only two failed logins will trigure a ban ............ despite lfd being set to 5.
     
  3. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Have noticed this ourselves, sometimes only two failed logins will trigure a ban ............ despite lfd being set to 5.
    Maybe Chirpy will pop by and have the answer.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I'm hoping Chirpy will add a feature so we can automatically whitelist all authenticated sites - from the list in /etc/relayhosts. That is, these people are going to be my legitimate users and I don't want them blocked.
     
    #4 brianoz, Nov 3, 2006
    Last edited: Nov 4, 2006
  5. cpanelinfoseeker

    cpanelinfoseeker Well-Known Member

    Joined:
    Oct 25, 2002
    Messages:
    323
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    NE Illinois
    cPanel Access Level:
    Root Administrator
    First, check your log files. Every user that has been blocked on my server has had the 5 login attampts in the last 300 seconds. Not one was a false ban.

    Second, If you do not want that ip banned, copy the IP address that was banned and add it to your "FIREWALL ALLOW IPs" and they will not be banned in the future.

    This feature has saved me already!

    Ron
     
  6. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I tried logging into my own account and gave the wrong passowrd twice on purpose, the logs say i got banned for 5 failed login attempts.
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The most common reason for this is if you've buggered up /etc/syslog.conf by repeatedly running /scripts/fixrelayd - make sure you don't have the duplicate line problem at the bottom of syslog.conf and if you have remove them and then restart syslog.

    Brian, I'll look at adding that to the wishlist - however there's always the concern that compromised client PC's could be trying to hack into the server.
     
  8. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    AFAIK /scripts/fixrelayd has never been run, i didn't even know that script existed. ......... But thanks, i did find a duplicate of this line and removed it:
    #local0.notice;local0.debug;mail.*;mail.none;mail.info;local0.info /var/log/maillog
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Perhaps a test for a double line in syslog.conf could be added at install time? I know it's tricky as there may be two lines doing different things to the messages, so perhaps it should be a warning unless the lines are duplicate?

    Thanks for adding the /etc/relayhosts wish - I'm prepared to take that risk as I know my clients well - it might not make sense for others, so should be a config option. Since installing csf+lfd I've had about 3-4 clients booked, after a few days I just manually added the contents of /etc/relayhosts to csf.allow and I was fine :)
     
Loading...

Share This Page