lfd keeps blocking one particular user
I have one (and only one) client whose IP address is somewhat regularly blocked by the firewall.
I have been able to see the log entries for a couple of incidents and the are similar.
Time: Sun Apr 8 12:46:08 2018 -0400
IP: 67.248.95.89 (US/United States/cpe-67-248-95-89.nycap.res.rr.com)
Failures: 10 (pop3d)
Interval: 3600 seconds
Blocked: Permanent Block [LF_POP3D] (IP match in csf.allow, block may not work)
dovecot: pop3-login: Aborted login (auth failed, 5 attempts in 22 secs): user=, method=PLAIN, rip=67.248.95.89, lip=163.182.174.140, TLS, session=
Any idea what this means and how I should advise my client?
-
Guessing, he's trying to login with an incorrect password and CSF is blocking him. You might ask him to reset his email password and make sure all of his devices are using that new password before attempting to connect to email. 0 -
As @Infopro stated he's more than likely using an incorrect password, probably something added to a mail client. You could whitelist his IP address within CSF as well to keep this from occurring. Thanks! 0 -
Thanks for the reply. That is what I thought, at first. I have asked him about it and he claims no knowledge of it especially at the times specified in the reports. I know this man, he is not a techie in the least and I am sure he is not manually doing anything. The reports/logs I have seen (about a half dozen) all show multiple tries, about 5 tries in 22 seconds every 5 minutes apart for about 45 minutes. I do let him in by unblocking his ip from the firewall and that is good until the next "attack" days or weeks later. I am afraid that his computer (Mac) is infected and am afraid he will infect or damage the server. 0 -
Hi @Amgeek It sounds like it's a mail client (on his local machine or mobile device) especially when it's multiple attempts within a short period of time (like seconds or minutes). He may not even know that he's got the mail client configured. If you're concerned about his mac being infected there's not a lot cPanel can control in that aspect, I'd ensure that he run a malware scan on the mac and if that comes back clean whitelist his IP in CSF so you don't have to keep going through and unblocking him. Thank you! 0 -
I would never whitelist a users IP address on my server, ever. No need to. If he's being blocked over and over, he is probably using an incorrect username or password on one of his devices. You might ask him if he's connecting with his cell phone, aside from his Mac. I'd ask him to turn off his email client and you remove his IP from blocked list. Ask him to login to his cPanel and change his email password. He'll need to update that new password in his email client and mobile device, if he has one, and may get blocked doing so. Have him finish updating his email account login details in all his devices, and then unblock him one more time. 0
Please sign in to leave a comment.
Comments
5 comments