lfd keeps blocking one particular user

Amgeek

Member
Nov 7, 2013
22
1
3
cPanel Access Level
Website Owner
I have one (and only one) client whose IP address is somewhat regularly blocked by the firewall.

I have been able to see the log entries for a couple of incidents and the are similar.

Time: Sun Apr 8 12:46:08 2018 -0400
IP: 67.248.95.89 (US/United States/cpe-67-248-95-89.nycap.res.rr.com)
Failures: 10 (pop3d)
Interval: 3600 seconds
Blocked: Permanent Block [LF_POP3D] (IP match in csf.allow, block may not work)

dovecot: pop3-login: Aborted login (auth failed, 5 attempts in 22 secs): user=<[email protected]
removed.com>, method=PLAIN, rip=67.248.95.89, lip=163.182.174.140, TLS, session=<MElLZVhpzshD+F9Z>​


Any idea what this means and how I should advise my client?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,292
313
Houston
As @Infopro stated he's more than likely using an incorrect password, probably something added to a mail client. You could whitelist his IP address within CSF as well to keep this from occurring.

Thanks!
 

Amgeek

Member
Nov 7, 2013
22
1
3
cPanel Access Level
Website Owner
Thanks for the reply.


That is what I thought, at first. I have asked him about it and he claims no knowledge of it especially at the times specified in the reports. I know this man, he is not a techie in the least and I am sure he is not manually doing anything. The reports/logs I have seen (about a half dozen) all show multiple tries , about 5 tries in 22 seconds every 5 minutes apart for about 45 minutes.

I do let him in by unblocking his ip from the firewall and that is good until the next "attack" days or weeks later.

I am afraid that his computer (Mac) is infected and am afraid he will infect or damage the server.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,292
313
Houston
Hi @Amgeek

It sounds like it's a mail client (on his local machine or mobile device) especially when it's multiple attempts within a short period of time (like seconds or minutes). He may not even know that he's got the mail client configured. If you're concerned about his mac being infected there's not a lot cPanel can control in that aspect, I'd ensure that he run a malware scan on the mac and if that comes back clean whitelist his IP in CSF so you don't have to keep going through and unblocking him.


Thank you!
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I would never whitelist a users IP address on my server, ever. No need to. If he's being blocked over and over, he is probably using an incorrect username or password on one of his devices. You might ask him if he's connecting with his cell phone, aside from his Mac.

I'd ask him to turn off his email client and you remove his IP from blocked list. Ask him to login to his cPanel and change his email password. He'll need to update that new password in his email client and mobile device, if he has one, and may get blocked doing so.

Have him finish updating his email account login details in all his devices, and then unblock him one more time.