Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Failed Dovecot Logins

Discussion in 'E-mail Discussion' started by keat63, Jun 28, 2017.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,204
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    My users don't use webmail, and all have static configured office PC's, so have no requirement to know thier own email password, for this reason I'm utilising CSF, where I have IMAP, SMTP or POP3 login failure configured for 1 strike and your'e blocked.

    This works, and i see IP's being blocked daily.

    However, occasionally, I see CPHULK protecting me against failed Dovecot logins.
    This is configured for 4 strikes and your'e out.

    Can anyone explain why Dovecot is not being triggered by CSF but pop3, SMPT and IMAP are.
     
    #1 keat63, Jun 28, 2017
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,968
    Likes Received:
    2,119
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Could you provide some more details about the specific cPHulk log entry in-question? POP3 and IMAP are both handled with Dovecot.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Jun 28, 2017
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,204
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Here is one from last night.

    Code:
    Brute Force attempt against “backuppc@www.mydoamin.uk”.

A device at the “xxx.xxx.xx.xxx” IP address has made a large number of invalid login attempts against the account “backuppc@www.mydomain.uk”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.

Service:

dovecot

Local IP Address:

xxx.xxx.xxx.xxx

Local Port:

110

Remote IP Address:

xxx.xxx.xxx.xxx

Remote Port:

38072

Authentication Database:

mail

Username:

backuppc@www.mydomain.uk

Number of authentication failures:

4
     
    #3 keat63, Jun 29, 2017
    Last edited: Jun 29, 2017
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,204
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    CPHULK Screen Shot
     

    Attached Files:

    #4 keat63, Jun 29, 2017
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    46,968
    Likes Received:
    2,119
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Port 110 is utilized for POP3 connections. Do you see any corresponding entries for the offending IP address in /var/log/maillog?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Jun 29, 2017
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,204
    Likes Received:
    74
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I think I may have figured this out.

    CPHULK is configured to check for failed logins over a set period, and CSF was configured for 2 strikes on POP3, not 1.

    If the hacker had a failed login, then went away for a while, CSF wouldn't pick him up.
    If he came back for another attempt, again CSF wouldn't detect him.
    He could do this 4 times before CPHulk picked him up.
     
    #6 keat63, Jun 30, 2017
  7. CrazyforLinux

    CrazyforLinux Registered

    Joined:
    Jun 6, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ahmedabad
    cPanel Access Level:
    Root Administrator
    Hello Keat,

    For your information, CPHULK is used for brute-force detection and failed login blocking and CSF is prepared with advanced options. The CSF will automatically detects DOS Attacks, DDOS Attacks as well as Brute-force detection and failed login attempts.
     
    #7 CrazyforLinux, Jun 30, 2017
(You must log in or sign up to post here.)
Loading...
Similar Threads - Failed Dovecot Logins
  1. attroll

    dovecot_plain authenticator failed

    attroll, Jan 28, 2019, in forum: E-mail Discussion
    Replies:
    2
    Views:
    406
    cPanelLauren
    Jan 30, 2019
  2. KuTtY

    New Thread The system failed to connect to the PostgreSQL database error

    KuTtY, May 17, 2019 at 11:14 PM, in forum: General Discussion
    Replies:
    0
    Views:
    48
    KuTtY
    May 17, 2019 at 11:14 PM
  3. Luana Premoli

    Failed to determine postgresql data directory

    Luana Premoli, May 16, 2019 at 7:41 AM, in forum: Database Discussion
    Replies:
    3
    Views:
    72
    cPanelMichael
    May 17, 2019 at 4:50 PM
  4. Baune

    Connection Error Failed to reach the server

    Baune, May 15, 2019 at 1:36 PM, in forum: E-mail Discussion
    Replies:
    1
    Views:
    196
    cPanelMichael
    May 16, 2019 at 4:56 PM
  5. Aicmad

    SMTP Error (550): Failed to add recipient

    Aicmad, May 9, 2019, in forum: E-mail Discussion
    Replies:
    4
    Views:
    277
    cPanelLauren
    May 13, 2019 at 9:53 AM

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice