cPanel & WHM: CSF/LFD No Longer Blocking Failed IMAP/POP3 Logins on cPanel 132 (Dovecot Log Format Change)
-
We have, yes. Was thinking it might be because we were using a fork of CSF but a server running the cPanel version is also is not blocking POP3/IMAP
0 -
Update, this could be a problem with the latest Dovecot update? anyway we tried a custom regex in
/etc/csf/regex.custom.pm and it fixed it.
0 -
"In Dovecot 2.4.2, the log format for failed logins has changed, which breaks the default regex patterns in CSF/LFD. To fix this, you must add a custom regex to the CSF configuration. "
1. Add the Custom Regex
Open your custom regex file:
nano /etc/csf/regex.custom.pm
Add the following block to the end of the file. This rule specifically targets the new Dovecot 2.4 "auth failed" log format:if (($app eq "pop3d" or $app eq "imapd") and $line =~ /\(auth failed, (\d+) attempts/) {
return ("Failed Dovecot login from",$1,"dovecotlogin","5","110,143,993,995","1");
}$1: Captures the offending IP address.
"5": Sets the threshold for failure attempts before a block.
"1": Triggers a permanent block (change to a number like 3600 for a temporary 1-hour block)Then restart csf and LFD
csf -r
systemctl restart lfd0 -
I have the CSF team checking this out now - if I hear about any updates related to this I'll be sure to post!
0 -
# This perl script worked better for us than the one we posted above.
if ($line =~ /dovecot: (?:imap|pop3)-login: (?:Login aborted|Disconnected).*\(auth failed.*rip=([\d\.]+)/) {
return ("Failed Dovecot 2.4 login from",$1,"dovecot_custom","5","110,143,993,995","1");
}0 -
Update - our team has created case CPANEL-51854 to address this. I'm following along with that case now and I've linked this thread to it, so I'll be sure to post once I have more details.
0 -
Searching around, we found that clients of DA ( is that swearing? :) ) had the same problem after updating to dovecot 2.4. the code below fixes it. Though we wonder if cPanel updates CSF it may get over written??
sed -i -E '/Connection closed/ { s#((pop3|imap)-login: |Info: )\(#\1(?:Login aborted:\\s*)?\(#; s#\)\)\?: #\)\)?\\s*(?:\\(auth_failed\\))?: # }' /usr/local/csf/lib/ConfigServer/RegexMain.pm0 -
Yes, we will definitely overwrite that file in future updates.
0 -
Update - this is fixed and will be included in a future release. I don't have a specific version of CSF or cPanel just yet, but if I hear one I'll be sure to post!
0 -
Yea!
1 -
cPRex Thank you! Much appreciated!
0 -
I guess I got this problem too. Where do I see when this is fixed? I can't find case CPANEL-51854. v134.0.11 says nothing about this in the changelog.
And LFD is ignoring "Suspicious File Alert" /etc/csf/csf.fignore entries now too. must be a coincidence.0 -
Scott Galambos - when this gets moved to a production version I'll be sure to make a post!
0 -
Is this issue fixed? How do I check? I ask because I don't see hack attempt emails anymore. But I never did an update. How can I check if this is fixed pursuant to a formal cPanel update?
0 -
No, I don't see that this has been resolved on our end yet.
0 -
Not resolved yet??
@ cPRex wrote "Update - this is fixed and will be included in a future release."
0 -
Correct - fixed, but hasn't been released yet - sorry if that wasn't phrased well!
0
Please sign in to leave a comment.
Comments
17 comments