csf & modsec2: identify user login of webmail

upsforum

Well-Known Member
Jul 27, 2005
473
0
166
with csf and modsec logs I can see what action type generated ths ip bloking, but is possible see which user used webmail login with this ip?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If I read this right, I think he's wondering if you can see what e-mail address a blocked IP was trying to log in to.

First off, modsec isn't going to parse cPanel access logs, where webmail access is logged.

If you want to see what e-mail address and IP was trying to log into, check the cPanel access log. Say the blocked ip is 123.123.123.123 then you would run this at a root shell:

Code:
grep 123.123.123.123 /usr/local/cpanel/logs/access_log
The information could also be logged in /var/log/maillog since I think the webmail apps try to use an imap type login, and failed imap/pop logins are usually in maillog. You could check with something like:

Code:
grep 123.123.123.123 /var/log/maillog
I hope this helps.