The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

email users can't access the server from cell phones...

Discussion in 'Security' started by IISG, Nov 17, 2015.

  1. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I have a strange problem where users are being blocked from email in a few cases from their desktops, but it appears to happen more from wireless carrier networks.

    I do not have user blocking enabled in cphulk, so it can be blocked from ip.
    Whats not making sense is I don't see the user talking to the server, they get bad password, which we know could simply be not talking to the server. We are on a solid network and servers have had zero down time.

    When I look at cphulk history, it's not showing me that the users from that domain ( since sometimes they are in the same office and IP ) are failing passwords, I'm not seeing their ip blocked but yet users are 100% not communicating to the server. A few times I have reset by clicking remove blocks and remove reports to get a clean slate, but the users still cant communicate. Since this comes and goes over the week, it's tough to catch it.

    Any suggestions as to where I can look not only from a log perspective but maybe my settings may be wrong and I'm causing the problem without realizing it.

    Thanks!
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Are you using CSF firewall on your server ? If yes, then please check your client IP in csf firewall and remove that if it's blocked in server firewall.

    Check your IP in CSF
    Code:
    csf -g IP
    Remove IP from CSF deny list.
    Code:
    csf -dr IP
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sorry for the delay, I didn't get notified.
    I'm not running CSF since cphulk is installed by default. I'm running WHM 11.52.1 (build 3).

    I'll have to setup an account and test it to find the proper log file entries.
    The part that doesn't make sense is that it has happened in different ways, as an example a user checks email while on wifi in their office, then turns off wifi and they get blocked, go back to wifi and all is good.
     
  5. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK I did some testing and well, it makes less sense.
    I logged in on a wifi connection, checked email fine, then switched to cellular and instant failure.
    Got this from the logs:
    Dec 4 05:09:51 meteor dovecot: auth: Error: Cpanel::MailAuth: cphulk blocked login for user 'MyEmail@MyDomain.com' to access service 'mail' from IP '172.56.4.133'
    Dec 4 05:09:54 meteor dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 3 secs): user=<MyEmail@MyDomain.com>, method=PLAIN, rip=172.56.4.133, lip=22.137.118.13, session=<rgZGtQ8mIUisOASF>

    email address and my server address are modified but failure address (tmobile) is not.

    I then look via iptables-save the email address is NOT listed.
    I then look in cphulk and it doesn't find the ip anywhere in any of the block types.

    I cleared blocks in cphulk, cleared iptables, i then rebooted box just for fun and first attempt exactly the same.

    No user failed login information in cphulk.
     
  6. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sorry, one more note if I turn of cphulk, mail flows just fine.
    I turn it back on and at the moment it works, but am I missing something as to how cphulk blocks ip addresses?
    Does it not block via iptables?

    Thanks...
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The output you provided suggests the email account username, and not the IP address, was blocked. You can disable "Username-based Protection" if you only want "IP-based Protection" enabled via "WHM Home >> Security Center >> cPHulk Brute Force Protection".

    Thank you.
     
  8. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have user based protection off.
    That was the first thing I checked.

    Just for reference even if it was on, that user should NOT have been blocked on the first attempt to check mail with valid credentials.
     

    Attached Files:

  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you review /usr/local/cpanel/logs/cphulkd.log the next time this happens to see the cPHulk activity that's occurring at the same time as the failed login attempt?

    Thank you.
     
  10. IISG

    IISG Member

    Joined:
    Nov 2, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Sorry for the delay, I never got notified.

    So I tested and on the first try did get locked out just like before which makes no sense at first.

    [2015-12-15 07:41:21 -0500] info [cphulkd] 812 Login Blocked: The IP address is blacklisted. [Service]=[pop3] [Local IP Address]=[x.x.x.x] [Remote IP Address]=[172.56.26.249] [Authentication Database]=[pop3] [Username]=[jUSER@Domain.net]

    The only entries in the cphulk log for the offending IP are mine from the test.
    However, I look in history with no luck, I do see blocked IP's showing:
    172.56.0.0-172.56.255.255

    Thats a HUGE block of IP's to be blocked, why such a broad stroke?
    Also, when I search for ip's in the 172.56.x.x I do see from the beginning of December to now 692 entries in cphulk.log

    Given that there are literally millions of T-Mobile users, I can see it happening but we have a small amount of users and yes, I'm sure some of them are putting in bad passwords but short of whitelisting all of T-Mobile's IP's, what can I do?

    Thanks!
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This is not configured by default. Have you considered removing that range of IP addresses from the blacklist?

    Thank you.
     
Loading...

Share This Page