Which user account got IP blacklisted?

[webdsn]

My firewall configureation have set
LF_POP3D = 10
LF_POP3D_PERM = 1

when user input wrong pw 10 times this IP will add to deny list
In deny list only have which IP with which service get block
like this

tcp|in|d=110|s=117.81.139.253 # lfd: (pop3d) Failed POP3 login from 117.81.139.253 (CN/China/253.139.81.117.broad.sz.js.dynamic.163data.com.cn): 10 in the last 3600 secs - Tue Mar 6 16:40:31 2018


But sometimes is my user type too much time wrong pw let pw in the list
I want know which account let IP in deny list

Have any way to log this record ？

 

[fuzzylogic]

It sounds like you want to log the user account in the deny list record comment.
I don't know how to do that.

If you just want to find out which account name was used to add an ip to the block list then do this...
Go to Home » Plugins » ConfigServer Security & Firewall
Choose "Watch System Logs"
Choose "var/log.exim_rejectlog"
Do a browser search for the blocked ip
Use Shift + F3 to progress through the authentication failures for that ip
Decide whether to remove the ip from the deny list or let it remain

FYI.
MS Outlook will make more than 10 failed authentication attempts if the client uses Outlook's Autodetect when setting up the account. (even with correct username/password)

 

[cPanelMichael]

Hello,

You may also want to consider using cPHulk instead of CSF/LFD for brute force protection purposes:

cPHulk Brute Force Protection - Version 70 Documentation - cPanel Documentation

Thank you.