ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Failed imap logins not being blocked csf v14.19

https://mail.forum.configserver.com/viewtopic.php?t=12899

Page 1 of 1

Failed imap logins not being blocked csf v14.19

Posted: 31 Jul 2023, 16:34
by philh
Since the upgrade to 14.19, repeated failed imapd logins in maillog are no longer getting blocked.
For example, the following (obfuscated) maillog entries did not result in a block, which they would have in earlier versions:

Code: Select all

Jul 30 23:09:04 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 8 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<8TJlj7sBiPRRsvAT>
Jul 30 23:09:16 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 12 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<dMPbj7sBoPRRsvAT>
Jul 30 23:09:16 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 12 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<Ktjbj7sBofRRsvAT>
Jul 30 23:09:25 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<OQ7kkLsBqfRRsvAT>
Jul 30 23:09:29 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<IFAdkbsBq/RRsvAT>
Jul 30 23:09:29 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<5j8dkbsBqvRRsvAT>
Jul 30 23:09:36 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<vUCPkbsBwvRRsvAT>
Jul 30 23:09:40 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<LW3IkbsB8vRRsvAT>
Jul 30 23:09:44 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=</pUFkrsB8/RRsvAT>
Jul 30 23:09:48 vps dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): user=<someone@example.org>, method=PLAIN, rip=1.2.3.4, lip=5.6.7.8, TLS, session=<dBpCkrsB9PRRsvAT>
...
Not sure why this is, since the entries are picked up by the new amended dovecot regex.

We have not changed any settings in csf.conf since the upgrade. The relevant settings are:
LF_INTERVAL = "7200"
LF_IMAPD = "5"
LF_IMAPD_PERM = "1"

CentOS Linux release 7.9.2009
cPanel 110.0.8
dovecot 2.3.19.1

Re: Failed imap logins not being blocked csf v14.19

Posted: 20 Aug 2023, 15:19
by philh
I created a custom rule containing the regex copied as-is from RegexMain.pm and this successfully blocks offending IPs.

As far as we can see, all other types of blocking are working correctly.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited