The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Every morning at 4:44am I get failed pop3 logins reported. But they are not password problems.

Discussion in 'Security' started by jasgot, Oct 15, 2013.

  1. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    I think it happens during a software upgrade. LFD reports auth failed for those users trying to get pop3 mail at that time. It is within a few seconds of the same time every day. It only happens to the people checking mail during that minute or two at 4:44am.

    Here is the error report:
    Subject: lfd: blocked x.x.x.x
    Time: Tue Oct 1 04:44:50 2013 -0400
    IP: x.x.x.x
    Failures: 5 (pop3d)
    Interval: 300 seconds
    Blocked: Yes

    Log entries:

    Oct 1 04:44:34 sabrina dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<user1@domain.com>, method=PLAIN, rip=client.ip.add.ress, lip=host.ip.add.ress
    Oct 1 04:44:34 sabrina dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<user2@domain.com>, method=PLAIN, rip=client.ip.address, lip=host.ip.add.ress
    Oct 1 04:44:34 sabrina dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<user3@domain.com>, method=PLAIN, rip=client.ip.address, lip=host.ip.add.ress
    Oct 1 04:44:34 sabrina dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<user4@domain.com>, method=PLAIN, rip=client.ip.address, lip=host.ip.add.ress
    Oct 1 04:44:34 sabrina dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<user5@domain.com>, method=PLAIN, rip=client.ip.address, lip=host.ip.add.ress

    This is what I find in cron near that time:
    0 4 * * * /usr/sbin/cxs --upgrade --quiet
    0 4 * * * /usr/local/cpanel/scripts/cpbackup
    37 4 * * * /usr/local/cpanel/scripts/upcp --cron


    is upcp causing LFD to give erroneous reports? These same accounts check their mail 24 hours a day with no issues, but at this time every day, they are tagged as trying to log in with a bad password. so every morning I have to remove them from iptables and then they are fine until 4:44am the next day.

    I also see this just before the above error, everyday.
    Time: Wed Oct 9 04:42:01 2013 -0400
    Error: Failed to detect code [dVt8TcB7JrCPoQTRBZihM6qjtxoXu] in SYSLOG_LOG [/var/log/messages]

    SYSLOG may not be running correctly on sabrina.syo.com


    Thanks so much for your insight.
    Jason
     
    sneader likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,786
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's important to note that LFD is a third-party application. You may want to report this issue directly on their support forums so they are aware of this potential issue with their product. As for the POP3 errors, are they all occurring under the same IP address? If so, you may want to try increasing the following setting under "WHM Home » Service Configuration » Mailserver Configuration":

    "Maximum POP3 Connections per IP"

    Thank you.
     
  3. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    Michael,
    Thanks for your interest. I think you miss-construed the problem. LFD only reports the failed log in attempts, it does not cause them. LFD only reads the cpanel error logs. Also, ConfigServer has already been approached with this problem and they have demonstrated that it is not an LFd issue.

    The problem is not the number of logins, it is an authentication failure.
    Changing the number of pop3 logins per IP will not solve the authentication problem.

    The problem is that if a user tries to check mail during the upcp update, the pop3 auth fails even with the correct account credentials.




     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,786
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I recommend opening a support ticket so we can attempt to reproduce this issue on your system. You can open a support ticket via:

    Submit A Ticket

    You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  5. jasgot

    jasgot Well-Known Member

    Joined:
    Mar 2, 2004
    Messages:
    55
    Likes Received:
    1
    Trophy Points:
    6
    Your Request id is: 4379639.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,786
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Per the ticket, it looks like this may have been an isolated issue. We were unable to reproduce the issue at the referenced time.
     
  7. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I apologize in advance for jumping on a thread that is over a year old, but I am having the EXACT same problem on multiple servers. I have a ticket opened on this, Ticket #7094033.

    @jasgot, did you ever resolve this?

    - Scott
     
  8. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I received a very enlightening reply to my ticket and I will share it here, in case it helps someone else with this same problem (auth failed problems during upcp)

    I did some reading on prelink and I do see how it might have some advantages... but if cPanel does not recommend that it be used, and it's causing customers problems... my gut says to remove it.

    - Scott
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,786
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I am happy to see you were able to receive an answer to your question. Thank you for taking the time to update this thread with the response.
     
Loading...

Share This Page