cPanel 11.24 - cphulk failed login attempts to account

avio · Post by **avio** » 27 Nov 2008, 11:36

failed login attempts to account xx (system) -- Large number of attempts from this IP

Getting a ton of these emails from cphulk because the server might be under attack, however these login attempts aren't be detected by CSF and blocked. Sometimes a single IP, we need up with 8000+ emails.. and sometimes its multiple ips in the same block range.. however CSF isn't picking up anything. I believe this may be dovecot installation on cpanel with so many users attacking it.

Post by **chirpy** » 28 Nov 2008, 10:31

It's probably a change in the dovecot log lines which require a tweak to the regex. I'll look into it when I get the chance to try out the latest dovecot installation by cPanel.

isputra · Post by **isputra** » 29 Nov 2008, 00:34

avio wrote:failed login attempts to account xx (system) -- Large number of attempts from this IP

Getting a ton of these emails from cphulk because the server might be under attack, however these login attempts aren't be detected by CSF and blocked. Sometimes a single IP, we need up with 8000+ emails.. and sometimes its multiple ips in the same block range.. however CSF isn't picking up anything. I believe this may be dovecot installation on cpanel with so many users attacking it.

I have the same problem as above and now i have to disable cpHulk and let CSF to handle everything.

avio · Post by **avio** » 29 Nov 2008, 21:03

Disabling cphulk isn't a good idea since CSF is not able to detect these login failures as of right now.

avio · Post by **avio** » 03 Dec 2008, 12:36

still getting login failure attempts on cphulk even with csf v4.24 and no detection with CSF.

Post by **chirpy** » 04 Dec 2008, 18:01

The regex was tested on the latest CURRENT build. If you could paste in the login failure lines for dovecot that you're seeing in POP3D_LOG (usually /var/log/maillog) then I'll see how your logging differs.

avio · Post by **avio** » 06 Dec 2008, 20:02

2152540: Dec 6 05:37:14 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.239
2152541: Dec 6 05:37:14 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.237
2152543: Dec 6 05:37:16 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.237

Here it is, just got about 3000 login attemp failures multiplied by 10 because every 10 login attempts an email is sent, and i got 3000 emails

Post by **chirpy** » 07 Dec 2008, 17:27

I'll have an expanded regex to cater for these failures as well in the next release.

tshosting · Post by **tshosting** » 11 Dec 2008, 05:06

Hi Chirpy I have, twice now, getting thousands of cphuld emails to my mailbox. This morning there was about 22,000 emails.
This is one of the lines from the log

Code: Select all

Dec 11 06:15:44 stanley cphulkd[10685]: Connection service=system ip=203.210.192.154 port= user=lucia blocked by cphulkd (IP Address listed as brute)

Could you please help out with a regex for this.