It seems that this stopped working between October and November with the most recent IMAP block being on 02 Dec 2021. I'm not sure if it's related to the CSF 14.15 update that was released on 04 Dec. Looks like it updated on 05 December. This is affecting all our Interworx servers.
These are my IMAP blocks.
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
IMAPD_LOG = "/var/log/dovecot/dovecot.log"
and INTERWORX = "1"
I see there have been some changes to the IMAP regexes but I don't see how these changes could've broken anything.
CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
-
- Junior Member
- Posts: 6
- Joined: 16 Sep 2021, 10:41
-
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
It would help if you could provide an example log line that was not detected.
-
- Junior Member
- Posts: 6
- Joined: 16 Sep 2021, 10:41
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
Good Morning,
Below are the logs:
Jan 06 08:34:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<a0nhDuTUcqKl/yo5>
Jan 06 08:34:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<VHCQEOTUxC+l/yo5>
Jan 06 08:34:50 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<zkUjEeTU/Hql/yo5>
Jan 06 08:35:04 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<8yXuEeTUDnKl/yo5>
Jan 06 08:35:14 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<JvKTEuTUw92l/yo5>
Jan 06 08:35:23 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Zu4TE+TU8Iql/yo5>
Jan 06 08:35:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 3 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<rNyJE+TUiO+l/yo5>
Jan 06 08:35:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<TEQJFOTUgfil/yo5>
Jan 06 08:35:47 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<aWKKFOTUl8el/yo5>
Jan 06 08:35:56 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=</I8HFeTUsFyl/yo5>
Jan 06 08:36:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<acmjFeTUpiql/yo5>
Jan 06 08:36:15 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<1G8wFuTUh+Cl/yo5>
Jan 06 08:36:24 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<F4y+FuTUwBGl/yo5>
Jan 06 08:36:32 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Cd8uF+TU1Kil/yo5>
Jan 06 08:36:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<iQa4F+TUQkCl/yo5>
Below are the logs:
Jan 06 08:34:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<a0nhDuTUcqKl/yo5>
Jan 06 08:34:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<VHCQEOTUxC+l/yo5>
Jan 06 08:34:50 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<zkUjEeTU/Hql/yo5>
Jan 06 08:35:04 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<8yXuEeTUDnKl/yo5>
Jan 06 08:35:14 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<JvKTEuTUw92l/yo5>
Jan 06 08:35:23 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Zu4TE+TU8Iql/yo5>
Jan 06 08:35:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 3 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<rNyJE+TUiO+l/yo5>
Jan 06 08:35:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<TEQJFOTUgfil/yo5>
Jan 06 08:35:47 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<aWKKFOTUl8el/yo5>
Jan 06 08:35:56 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=</I8HFeTUsFyl/yo5>
Jan 06 08:36:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<acmjFeTUpiql/yo5>
Jan 06 08:36:15 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<1G8wFuTUh+Cl/yo5>
Jan 06 08:36:24 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<F4y+FuTUwBGl/yo5>
Jan 06 08:36:32 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Cd8uF+TU1Kil/yo5>
Jan 06 08:36:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<iQa4F+TUQkCl/yo5>
-
- Junior Member
- Posts: 6
- Joined: 16 Sep 2021, 10:41
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
Good Afternoon,
I applied the older rules to regexcustom and failed IMAP and POP3 logins are now being blocked. After comparing the rules I see a number of changes here. I tested the rules and found that the grouping for $ip should be set to 10 in Regexmain. I've updated this in Regexmain on one of our other servers and successfully blocked myself. Rules below in the #dovecot section.
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
I applied the older rules to regexcustom and failed IMAP and POP3 logins are now being blocked. After comparing the rules I see a number of changes here. I tested the rules and found that the grouping for $ip should be set to 10 in Regexmain. I've updated this in Regexmain on one of our other servers and successfully blocked myself. Rules below in the #dovecot section.
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
-
- Junior Member
- Posts: 6
- Joined: 16 Sep 2021, 10:41
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
Here are the csf and lfd logs in case they're required:
lfd logs:
Jan 11 14:25:17 <hostname removed> lfd[936746]: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]
Jan 11 14:31:08 <hostname removed> lfd[946621]: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]
csf.deny:
<removed> # lfd: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:25:17 2022
<removed> # lfd: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:31:08 2022
lfd logs:
Jan 11 14:25:17 <hostname removed> lfd[936746]: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]
Jan 11 14:31:08 <hostname removed> lfd[946621]: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]
csf.deny:
<removed> # lfd: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:25:17 2022
<removed> # lfd: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:31:08 2022
-
- Junior Member
- Posts: 6
- Joined: 16 Sep 2021, 10:41
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
I don't seem to have a bump button.
Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)
do you fix this problem? I got this problem now...
Code: Select all
Oct 13 21:11:19 myserver dovecot[15276]: auth: passwd-file(admin@myserver.com,51.222.46.204,<7SHFPurqUIIz3i7M>): unknown user
Oct 13 21:11:21 myserver dovecot[15276]: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<admin@myserver.com>, method=PLAIN, rip=51.222.46.204, lip=43.241.72.114, session=<7SHFPurqUIIz3i7M>