Deferred Login Blocking

[sparek]

Should LFD be blocking DEFERRED LOGIN attempts in /usr/local/cpanel/logs/login_log?

We recently had a situation where a large number of these entries were being logged and it was raising the server load on the server. However, LFD wasn't blocking them, and looking through the code, I don't guess it is suppose to.

Is this something was overlooked in LFD's development or is it not suppose to block them? Or is there a reason not to block them.

The log entries appear as:

Code: Select all

xx.xx.xx.xx - user@domain.com [02/14/2013:11:12:43 -0000] "GET /cpsess7962685239/3rdparty/roundcube/?_task=mail&_action=check-recent&_mbox=INBOX HTTP/1.1" DEFERRED LOGIN webmaild: security token incorrect

[sparek]

Anyway to disable this?

Apparently this causes issues with people who don't believe in logging out of webmail and then just let their computer hibernate or suspend. I honestly don't know what they are doing, but it appears to be affecting some users. Anybody else seeing similar issues?

There's just no pleasing everybody.

[ForumAdmin]

For now you will need to modify /etc/csf/regex.pm from:

Code: Select all

#cPanel/WHM
        if (($config{LF_CPANEL}) and ($lgfile eq $config{CPANEL_LOG}) and ($line =~ /^(\S+) - (\S+)? \[\S+ \S+\] \"[^\"]*\" (FAILED|DEFERRED) LOGIN/)) {

to:

Code: Select all

#cPanel/WHM
        if (($config{LF_CPANEL}) and ($lgfile eq $config{CPANEL_LOG}) and ($line =~ /^(\S+) - (\S+)? \[\S+ \S+\] \"[^\"]*\" FAILED LOGIN/)) {

We'll look at making this change permanent for the next release due to the risk of false-positives.