csf & modsec2: identify user login of webmail

upsforum

• November 29, 2013 04:12

with csf and modsec logs I can see what action type generated ths ip bloking, but is possible see which user used webmail login with this ip?

• 

  Infopro

  • November 29, 2013 09:16

  CSF should be alerting you by email when it blocks an IP. Your question is unclear.

  0
• 

  upsforum

  • November 29, 2013 09:23

  for example, if a user try login with myemail@domain.com on webmail login form and wrong ten times csf block their ip, is possible see that is user myemail that made the mistake?

  0
• 

  Infopro

  • November 29, 2013 09:30

  You should see the IP that's been blocked. And you know the email account that the IP attempted to login to. What else are you looking for?

  0
• 

  quizknows

  • November 29, 2013 20:11

  If I read this right, I think he's wondering if you can see what e-mail address a blocked IP was trying to log in to. First off, modsec isn't going to parse cPanel access logs, where webmail access is logged. If you want to see what e-mail address and IP was trying to log into, check the cPanel access log. Say the blocked ip is 123.123.123.123 then you would run this at a root shell: grep 123.123.123.123 /usr/local/cpanel/logs/access_log
  The information could also be logged in /var/log/maillog since I think the webmail apps try to use an imap type login, and failed imap/pop logins are usually in maillog. You could check with something like: grep 123.123.123.123 /var/log/maillog
  I hope this helps.

  0
• 

  upsforum

  • November 29, 2013 20:52

  thank you quizknows, I think that it is sufficient solution ;-)

  0

Please sign in to leave a comment.