Which user account got IP blacklisted?

webdsn

Active Member
Mar 4, 2018
41
2
8
Taiwan
cPanel Access Level
Root Administrator
My firewall configureation have set
LF_POP3D = 10
LF_POP3D_PERM = 1

when user input wrong pw 10 times this IP will add to deny list
In deny list only have which IP with which service get block
like this

tcp|in|d=110|s=117.81.139.253 # lfd: (pop3d) Failed POP3 login from 117.81.139.253 (CN/China/253.139.81.117.broad.sz.js.dynamic.163data.com.cn): 10 in the last 3600 secs - Tue Mar 6 16:40:31 2018


But sometimes is my user type too much time wrong pw let pw in the list
I want know which account let IP in deny list

Have any way to log this record ?
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
It sounds like you want to log the user account in the deny list record comment.
I don't know how to do that.

If you just want to find out which account name was used to add an ip to the block list then do this...
Go to Home » Plugins » ConfigServer Security & Firewall
Choose "Watch System Logs"
Choose "var/log.exim_rejectlog"
Do a browser search for the blocked ip
Use Shift + F3 to progress through the authentication failures for that ip
Decide whether to remove the ip from the deny list or let it remain

FYI.
MS Outlook will make more than 10 failed authentication attempts if the client uses Outlook's Autodetect when setting up the account. (even with correct username/password)