Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd keeps blocking one particular user

Discussion in 'Security' started by Amgeek, Apr 26, 2018.

  1. Amgeek

    Amgeek Member

    Joined:
    Nov 7, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    I have one (and only one) client whose IP address is somewhat regularly blocked by the firewall.

    I have been able to see the log entries for a couple of incidents and the are similar.

    Time: Sun Apr 8 12:46:08 2018 -0400
    IP: 67.248.95.89 (US/United States/cpe-67-248-95-89.nycap.res.rr.com)
    Failures: 10 (pop3d)
    Interval: 3600 seconds
    Blocked: Permanent Block [LF_POP3D] (IP match in csf.allow, block may not work)

    dovecot: pop3-login: Aborted login (auth failed, 5 attempts in 22 secs): user=<removed@
    removed.com>, method=PLAIN, rip=67.248.95.89, lip=163.182.174.140, TLS, session=<MElLZVhpzshD+F9Z>​


    Any idea what this means and how I should advise my client?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,134
    Likes Received:
    365
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Guessing, he's trying to login with an incorrect password and CSF is blocking him. You might ask him to reset his email password and make sure all of his devices are using that new password before attempting to connect to email.
     
    cPanelLauren likes this.
  3. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    906
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    As @Infopro stated he's more than likely using an incorrect password, probably something added to a mail client. You could whitelist his IP address within CSF as well to keep this from occurring.

    Thanks!
     
  4. Amgeek

    Amgeek Member

    Joined:
    Nov 7, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Thanks for the reply.


    That is what I thought, at first. I have asked him about it and he claims no knowledge of it especially at the times specified in the reports. I know this man, he is not a techie in the least and I am sure he is not manually doing anything. The reports/logs I have seen (about a half dozen) all show multiple tries , about 5 tries in 22 seconds every 5 minutes apart for about 45 minutes.

    I do let him in by unblocking his ip from the firewall and that is good until the next "attack" days or weeks later.

    I am afraid that his computer (Mac) is infected and am afraid he will infect or damage the server.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    906
    Likes Received:
    65
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Amgeek

    It sounds like it's a mail client (on his local machine or mobile device) especially when it's multiple attempts within a short period of time (like seconds or minutes). He may not even know that he's got the mail client configured. If you're concerned about his mac being infected there's not a lot cPanel can control in that aspect, I'd ensure that he run a malware scan on the mac and if that comes back clean whitelist his IP in CSF so you don't have to keep going through and unblocking him.


    Thank you!
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,134
    Likes Received:
    365
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would never whitelist a users IP address on my server, ever. No need to. If he's being blocked over and over, he is probably using an incorrect username or password on one of his devices. You might ask him if he's connecting with his cell phone, aside from his Mac.

    I'd ask him to turn off his email client and you remove his IP from blocked list. Ask him to login to his cPanel and change his email password. He'll need to update that new password in his email client and mobile device, if he has one, and may get blocked doing so.

    Have him finish updating his email account login details in all his devices, and then unblock him one more time.
     
Loading...

Share This Page