IP blocked after 5 failing attempts using webmail

notuo

Member
Nov 11, 2003
21
0
151
Hi.

I have a reseller account with cpanel in a shared server.

I just got some new customer that use webmail as their primary mail client. The issue is as they a re in a LAN with the same IP I am getting complains because their IP is blocked. Sometimes they are just logout of their back end system (even they are not using any cpanel feature) and they are not allowed to login again because of this block.

Is there a way to prevent this? ie. I believe webmail is a different process from cpanel itself even they are attached.

I agree in the security issue and to block failed attempts to login into cpanel but webmail is for users, not technicians.

Any idea or comments is appreciated,
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
This is either cPhulk or CSF.
cPhulk settings: WHM > Security Center > cPHulk Brute Force Protection
CSF Readme on settings: ConfigServer Security & Firewall

You could whitelist the IP if you feel its safe to, but I wouldn't suggest that. Instead, explain to the user why he's being blocked and ask him to be more careful going forward when logging in.

You can find out how the user is getting blocked by reviewing your logs. If you don't have access to those logs as a Reseller, you'll need to speak with your Host.

HTH!
 

notuo

Member
Nov 11, 2003
21
0
151
Thanks for your answer. That is what I am doing now. The issue is: Many customers in the same shared IP accessing their webmail. You cannot guaranteed all of them type correctly.

The real thing is (from my point of view) why webmail is in the same status than real cpanel access. I can understand enter webmail using the account name, but what about a simple user accessing his/her mail account (not the account one).
 

notuo

Member
Nov 11, 2003
21
0
151
They don't use any mail client, just webmail. After the block (I am still not sure how is this happening) she cannot enter any part of their website, not only cpanel nor webmail.
 

notuo

Member
Nov 11, 2003
21
0
151
Thanks again. I did this several times and they told me 5 attempts failed-> blocked IP:

-----------------
Jan 10 10:07:30 viper lfd[7227]: (cpanel) Failed cPanel login from 201.124.155.XXX (MX/Mexico/dsl-201-124-155-XXX-dyn.prod-infinitum.com.mx): 5 in the last 300 secs - *Blocked in csf* [LF_CPANEL]
-----------------
Please use correct domain password in future.
They also believed was a direct cpanel access not webmail.

My last question: Is there another way I can access horde webmail in order to prevent this to happen?

Thanks in advance and I'm sorry to push this too much.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Jan 10 10:07:30 viper lfd[7227]: (cpanel) Failed cPanel login from...
This was a failed cPanel login, not Webmail as the error shows us. No one should be logging into cPanel accept the account owner. Security is working as expected I would think.

You cannot access Webmail directly in your browser, authentication goes thru cPanel first.

While your Host's suggestion is brief, it really is the best answer. In my experience when a user is temporarily banned for not watching what they type in closely, they learn to watch closer next time.