The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf & modsec2: identify user login of webmail

Discussion in 'Security' started by upsforum, Nov 29, 2013.

  1. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    with csf and modsec logs I can see what action type generated ths ip bloking, but is possible see which user used webmail login with this ip?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    CSF should be alerting you by email when it blocks an IP. Your question is unclear.
     
  3. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    for example, if a user try login with myemail@domain.com on webmail login form and wrong ten times csf block their ip, is possible see that is user myemail that made the mistake?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should see the IP that's been blocked. And you know the email account that the IP attempted to login to. What else are you looking for?
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If I read this right, I think he's wondering if you can see what e-mail address a blocked IP was trying to log in to.

    First off, modsec isn't going to parse cPanel access logs, where webmail access is logged.

    If you want to see what e-mail address and IP was trying to log into, check the cPanel access log. Say the blocked ip is 123.123.123.123 then you would run this at a root shell:

    Code:
    grep 123.123.123.123 /usr/local/cpanel/logs/access_log
    
    The information could also be logged in /var/log/maillog since I think the webmail apps try to use an imap type login, and failed imap/pop logins are usually in maillog. You could check with something like:

    Code:
    grep 123.123.123.123 /var/log/maillog
    
    I hope this helps.
     
  6. upsforum

    upsforum Well-Known Member

    Joined:
    Jul 27, 2005
    Messages:
    446
    Likes Received:
    0
    Trophy Points:
    16
    thank you quizknows, I think that it is sufficient solution ;-)
     
Loading...

Share This Page