The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High Server Load from checkpassword-reply

Discussion in 'General Discussion' started by morrisj88, Feb 7, 2017.

Tags:
  1. morrisj88

    morrisj88 Registered

    Joined:
    Feb 7, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lagos
    cPanel Access Level:
    Root Administrator
    Hello All,

    I keep getting high server load and when i do top -c i see lots of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply

    Sometimes as much as over processes of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply

    What is causing this and how can i stop it.
     
  2. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    172
    Likes Received:
    8
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    It seems you are being attacked, I would recommend installing CSF+LFD and configure the LF_ settings to try to mitigate the attack, you can download CSF by using the following link,

    ConfigServer Security & Firewall (csf)
     
  3. morrisj88

    morrisj88 Registered

    Joined:
    Feb 7, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Lagos
    cPanel Access Level:
    Root Administrator
    I already have CSF+LFD installed but i am still still getting lots of /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply.

    What settings do i need to adjust
     
  4. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    172
    Likes Received:
    8
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Make sure LFD is up and running. LF settings to check are,

    LF_SMTPAUTH
    LF_DISTATTACK
    LF_DISTSMTP
    LF_DISTSMTP_UNIQ
    LF_DISTSMTP_PERM
    LF_SMTPAUTH
    LF_SMTPAUTH_PERM
    LF_IMAPD
    LF_IMAPD_PERM
    LF_POP3D
    LF_POP3D_PERM
     
  5. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    542
    Likes Received:
    39
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    First you have to check connection on the server using netstat command. If there is too many connection from particulars IPs then you have to blocked those IP.

    Also, You may need to consult with a qualified system administrator or your data center to check this as CSF is helpful, but it won't always prevent any and all attacks.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The following command is helpful if you want to track the number of login attempts on the Dovecot service:

    Code:
    grep 'Login: user' /var/log/maillog | awk '{print "("$1" "$2")"}' | uniq -c
    Excessive number of login attempts typically suggests a brute force attack, and the solutions offered in the previous posts should help.

    Note that internal case CPANEL-11098 is open report occurrences where a high load is generated from /usr/libexec/dovecot/checkpassword-reply when a server is under a brute force attack. I'll update this thread with more information on the status of this case as it becomes available, however the recommended solution at this point is to block the brute force attack itself.

    Thank you.
     
Loading...

Share This Page