High Server Load from checkpassword-reply

morrisj88

Registered
Feb 7, 2017
2
0
1
Lagos
cPanel Access Level
Root Administrator
Hello All,

I keep getting high server load and when i do top -c i see lots of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply

Sometimes as much as over processes of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply

What is causing this and how can i stop it.
 

morrisj88

Registered
Feb 7, 2017
2
0
1
Lagos
cPanel Access Level
Root Administrator
I already have CSF+LFD installed but i am still still getting lots of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply.

What settings do i need to adjust
 

SB-Nick

Well-Known Member
Aug 26, 2008
175
9
68
cPanel Access Level
Root Administrator
Make sure LFD is up and running. LF settings to check are,

LF_SMTPAUTH
LF_DISTATTACK
LF_DISTSMTP
LF_DISTSMTP_UNIQ
LF_DISTSMTP_PERM
LF_SMTPAUTH
LF_SMTPAUTH_PERM
LF_IMAPD
LF_IMAPD_PERM
LF_POP3D
LF_POP3D_PERM
 

SysSachin

Well-Known Member
Aug 23, 2015
604
48
28
India
cPanel Access Level
Root Administrator
Twitter
Hello,

First you have to check connection on the server using netstat command. If there is too many connection from particulars IPs then you have to blocked those IP.

Also, You may need to consult with a qualified system administrator or your data center to check this as CSF is helpful, but it won't always prevent any and all attacks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

The following command is helpful if you want to track the number of login attempts on the Dovecot service:

Code:
grep 'Login: user' /var/log/maillog | awk '{print "("$1" "$2")"}' | uniq -c
Excessive number of login attempts typically suggests a brute force attack, and the solutions offered in the previous posts should help.

Note that internal case CPANEL-11098 is open report occurrences where a high load is generated from /usr/libexec/dovecot/checkpassword-reply when a server is under a brute force attack. I'll update this thread with more information on the status of this case as it becomes available, however the recommended solution at this point is to block the brute force attack itself.

Thank you.