CSF blocked IP tries again
I have a post open on the CSF forum, but I guess CSF devs don't monitor that forum as i've never seen an official answer, so I'm posting the same on here to see if anyone can explain.
I see in my logs a small number of failed logins from an IP, which was then blocked in CSF at 00:04am
xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018
However, If I look in my exim reject log, I can see that the logins continued after this time.
How could this happen ??
2018-05-14 00:04:46 dovecot_login authenticator failed for xxx.xxx.xxx.xx.static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:54567: 535 Incorrect authentication data
2018-05-14 00:07:29 dovecot_login authenticator failed for xxx.xxx.xxx.xx..static.exetel.com.au (NHCDC1) [xxx.xxx.xxx.xx.]:55419: 535 Incorrect authentication data
-
I see in my logs a small number of failed logins from an IP, which was then blocked in CSF at 00:04am xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018
Hello @keat63, The LFD output you provided shows a failed SMTP authentication attempt, but I don't see anything that shows the IP address was blocked at the firewall level. Can you check to see if that IP address was blocked? Thank you.0 -
As my server is work related, we only host our own sites. I have about 20 users, none of whom use webmail or mail outside of the office. So exim logins are restricted to a single failure, and the offending IP should be added to CSF. xxxx.xxx.xxx.xxx # lfd: (smtpauth) Failed SMTP AUTH login from xxx.xxx.xxx.xx. (AU/Australia/New South Wales/Sydney/xxx.xxx.xxx.xx.static.exetel.com.au): 1 in the last 3600 secs - Mon May 14 00:04:44 2018 This line was taken directly from CSF blocklist. /etc/csf/csf.deny CSF added the IP to the blocklist at 00:04:44, but as can be seen from exim log, the logins continued. 0 -
Hello @keat63, If ConfigServer does not respond to your support request, you may want to consider using cPHulk Brute Force Protection instead or in addition to LFD/CSF: cPHulk Brute Force Protection - Version 70 Documentation - cPanel Documentation The following cPHulk options could help replace or supplement that feature: Block IP addresses at the firewall level if they trigger brute force protection Command to Run When an IP Address Triggers a One-Day Block Thank you. 0 -
I only require log in to email, ftp or cpanel etc from the UK. Maybe a different country onbly when a mobile phone/tablet user goes on holiday. Would there be any implications to having CPHULK block every country other than the UK. Would this break anything else, or add any load ? 0 -
Would there be any implications to having CPHULK block every country other than the UK. Would this break anything else, or add any load ?
Hello, That's acceptable, but just note that anyone attempting to login to one of the monitored services would need to use a UK-based IP address. For instance, that could lead to login failures if any of your customers use a third-party service to authenticate their email account (E.g. customers that setup user@domain.tld in Gmail). You'd need to whitelist the IP address ranges of any such mail providers. Regarding the performance, here's a quote from a0 -
I have no external customers so to speak, only internal office based staff and about 4 mobile phone/tablet email users. I'm the only one with ssh, ftp access. I'll give this a go and monitor for the day. 0
Please sign in to leave a comment.
Comments
6 comments