Page 1 of 1

Why are certain IPs ignored although not in csf.allow?

Posted: 14 Sep 2023, 08:38
by zsimaiof
Hello,
i recently was checking lfd.log ( i am using CSF/LFD with WHM/cPanel) and it caught my eye that although my server is constantly being targeted by potential perpetrators for trying to login by SMTP there are no entries in the lfd.log that indicate that lfd picks up these failed attempts.
Here is a grepped part of my exim_mainlog indicating failed smtp login attempts :

Code: Select all

2023-09-13 10:55:00 dovecot_login authenticator failed for (vipturbo.com.br) [191.36.151.8]:32853: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 11:40:42 dovecot_login authenticator failed for 33bac29f.skybroadband.com [51.186.194.159]:58186: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 11:44:08 dovecot_login authenticator failed for (abts-kk-static-102.246.166.122.airtelbroadband.in) [122.166.246.102]:39582: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 11:59:30 dovecot_login authenticator failed for (198.116.65.218.broad.nc.jx.dynamic.163data.com.cn) [61.180.116.198]:53954: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 12:58:47 dovecot_login authenticator failed for ([211.230.113.118]) [211.230.113.118]:43700: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 13:03:16 dovecot_login authenticator failed for (ip103-129-220-243.cloudhost.web.id) [103.129.220.243]:45013: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 13:42:09 dovecot_login authenticator failed for wsip-24-120-108-5.lv.lv.cox.net [24.120.108.5]:31981: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 13:48:47 dovecot_login authenticator failed for ([117.156.231.10]) [117.156.231.10]:33180: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 14:13:27 dovecot_login authenticator failed for ([103.70.142.229]) [103.70.142.229]:34082: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 14:36:41 dovecot_login authenticator failed for ([60.191.94.106]) [60.191.94.106]:53816: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 15:21:20 dovecot_login authenticator failed for (82.53.170.222.broad.md.hl.dynamic.163data.com.cn) [222.170.53.82]:52532: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 15:30:22 dovecot_login authenticator failed for ([183.62.20.3]) [183.62.20.2]:59199: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 15:56:14 dovecot_login authenticator failed for broadband-77-37-135-17.ip.moscow.rt.ru [77.37.135.17]:55168: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 16:07:48 dovecot_login authenticator failed for cpe-172-90-21-238.socal.res.rr.com [172.90.21.238]:43853: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 16:42:05 dovecot_login authenticator failed for ([117.248.248.152]) [117.248.248.152]:43848: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 17:20:03 dovecot_login authenticator failed for ([91.73.194.178]) [91.73.194.178]:43571: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 17:36:23 dovecot_login authenticator failed for (abts-tn-static-193.56.165.122.airtelbroadband.in) [122.165.56.193]:35371: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 17:43:59 dovecot_login authenticator failed for ([116.132.50.178]) [116.132.50.178]:59736: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 18:43:59 dovecot_login authenticator failed for ([120.209.216.26]) [120.209.216.26]:50122: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 19:21:51 dovecot_login authenticator failed for ([58.49.46.30]) [58.49.46.30]:39979: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 19:31:52 dovecot_login authenticator failed for ([60.171.135.254]) [60.171.135.254]:36586: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 20:08:53 dovecot_login authenticator failed for ([14.54.22.11]) [14.54.22.11]:26628: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 20:44:32 dovecot_login authenticator failed for (73.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:43694: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 21:20:14 dovecot_login authenticator failed for ([218.17.187.43]) [218.17.187.43]:54195: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 21:20:24 dovecot_login authenticator failed for (m121-202-194-241.smartone.com) [121.202.194.241]:52449: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 21:55:25 dovecot_login authenticator failed for ([211.243.43.58]) [211.243.43.58]:50866: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 22:51:56 dovecot_login authenticator failed for ([168.121.195.104]) [187.103.205.1]:53916: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 22:52:53 dovecot_login authenticator failed for ([138.75.117.154]) [138.75.117.154]:58357: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 22:56:40 dovecot_login authenticator failed for ([59.9.38.110]) [59.9.38.110]:57908: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 22:57:23 dovecot_login authenticator failed for (abts-north-static-038.58.160.122.airtelbroadband.in) [122.160.58.38]:58488: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-13 23:44:50 dovecot_login authenticator failed for cpe-142-255-119-197.nyc.res.rr.com [142.255.119.197]:50626: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 00:13:29 dovecot_login authenticator failed for (51.188.165.124.adsl-pool.sx.cn) [116.135.13.165]:33808: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 00:22:28 dovecot_login authenticator failed for ([117.180.221.5]) [117.180.221.5]:49184: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 00:28:40 dovecot_login authenticator failed for ([219.147.29.162]) [222.173.86.202]:40238: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 01:29:23 dovecot_login authenticator failed for host162.181-12-143.telecom.net.ar [181.12.143.162]:52068: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 01:57:20 dovecot_login authenticator failed for 071-067-072-074.biz.spectrum.com [71.67.72.74]:56742: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 03:07:31 dovecot_login authenticator failed for ([203.116.95.48]) [203.116.95.48]:45202: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 03:10:03 dovecot_login authenticator failed for (223-197-199-52.static.imsbiz.com) [223.197.199.52]:33635: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 04:01:48 dovecot_login authenticator failed for ([219.159.109.112]) [219.159.109.112]:35737: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 04:42:24 dovecot_login authenticator failed for (abts-mum-static-120.134.179.122.airtelbroadband.in) [122.179.134.120]:44745: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 04:50:59 dovecot_login authenticator failed for ([218.38.151.121]) [218.38.151.121]:33564: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 05:25:43 dovecot_login authenticator failed for ([185.255.212.178]) [185.255.212.178]:62477: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 06:01:20 dovecot_login authenticator failed for ([45.189.208.250]) [45.189.208.250]:59464: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 06:18:04 dovecot_login authenticator failed for (30.152.224.103-in-addr.arpa-mithriltele.net) [103.224.152.30]:60167: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 06:34:06 dovecot_login authenticator failed for (183.83.188.87.actcorp.in) [183.83.188.87]:36666: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 07:12:16 dovecot_login authenticator failed for ([213.230.64.246]) [213.230.64.246]:54496: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 07:17:34 dovecot_login authenticator failed for ([111.21.226.150]) [111.21.226.150]:30291: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 08:05:34 dovecot_login authenticator failed for ([218.6.64.194]) [218.6.64.194]:7512: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 08:09:54 dovecot_login authenticator failed for ([125.128.102.11]) [121.128.115.50]:47903: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 09:10:02 dovecot_login authenticator failed for ([38.141.224.5]) [38.141.224.5]:38986: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 09:10:30 dovecot_login authenticator failed for ([114.217.12.155]) [114.217.12.155]:58996: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 09:28:14 dovecot_login authenticator failed for ([189.80.86.126]) [189.80.86.126]:37657: 535 Incorrect authentication data (set_id=k.krit@domain.com)
2023-09-14 09:48:28 dovecot_login authenticator failed for ([89.40.66.22]) [89.40.66.22]:45178: 535 Incorrect authentication data (set_id=k.krit@domain.com)
There are no indicating entries in the lfd.log that it picked up these failed attempts.
Here is the lfd.log for this time interval:

Code: Select all

Sep 14 00:00:03 vps2 lfd[30398]: LOAD Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: *Error* Cannot run csf Integrated UI - UI_USER must set
Sep 14 00:00:03 vps2 lfd[30398]: *ERROR*: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue updating the MaxMind databases
Sep 14 00:00:03 vps2 lfd[30398]: Country Code Lookups...
Sep 14 00:00:03 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 00:00:03 vps2 lfd[30398]: *ERROR*: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue updating the MaxMind databases
Sep 14 00:00:03 vps2 lfd[30398]: Country Code Filters...
Sep 14 00:00:03 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 00:00:03 vps2 lfd[30398]: System Integrity Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Exploit Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Directory Watching...
Sep 14 00:00:03 vps2 lfd[30398]: Email Queue Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: ModSecurity IP D/B Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Email Relay Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Temp to Perm Block Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: System Statistics...
Sep 14 00:00:03 vps2 lfd[30398]: Port Scan Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Account Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: SU Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Console Tracking...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/exim_paniclog...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/secure...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /usr/local/cpanel/logs/login_log...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/customlog...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /usr/local/cpanel/logs/error_log...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/messages...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/maillog...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/lfd.log...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /etc/apache2/logs/error_log...
Sep 14 00:00:03 vps2 lfd[30398]: Watching /var/log/exim_mainlog...
Sep 14 00:01:03 vps2 lfd[30508]: Incoming IP 198.23.210.144 temporary block removed
Sep 14 00:01:03 vps2 lfd[30508]: Outgoing IP 198.23.210.144 temporary block removed
Sep 14 00:29:32 vps2 lfd[416]: (sshd) Failed SSH login from 128.1.141.18 (HK/Hong Kong/a18.designerforumail15.com): 10 in the last 300 secs - *Blocked in csf* for 3600 secs [LF_TRIGGER]
Sep 14 01:00:06 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 01:00:06 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 01:29:36 vps2 lfd[6491]: Incoming IP 128.1.141.18 temporary block removed
Sep 14 01:29:36 vps2 lfd[6491]: Outgoing IP 128.1.141.18 temporary block removed
Sep 14 02:00:06 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 02:00:06 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 03:00:09 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 03:00:09 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 04:00:13 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 04:00:13 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 04:00:19 vps2 lfd[18532]: *System Integrity* has detected modified file(s): /usr/bin/imunify360-agent /usr/bin/imunify-antivirus /usr/bin/imunify-service /bin/imunify360-agent /bin/imunify-antivirus /bin/imunify-service
Sep 14 05:00:15 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 05:00:15 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 06:00:17 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 06:00:17 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 07:00:19 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 07:00:19 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 07:05:44 vps2 lfd[30398]: Failed POP3 login from 62.169.200.73 - ignored
Sep 14 08:00:20 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 08:00:20 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 08:59:22 vps2 lfd[12528]: pop3d - 121 logins in 3542 secs from 62.169.200.73 (GR/Greece/-) for support@milkplan.com exceeds 120/hour - *Blocked in csf* for 58 secs [LT_POP3D]
Sep 14 08:59:23 vps2 lfd[12528]: tracking email sent for support@milkplan.com
Sep 14 09:00:23 vps2 lfd[30398]: CC Error: Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 09:00:23 vps2 lfd[30398]: CC Error: Country Code Filters setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases
Sep 14 09:00:23 vps2 lfd[12765]: Incoming IP 62.169.200.73:110 temporary block removed
Sep 14 09:00:23 vps2 lfd[12765]: Incoming IP 62.169.200.73:995 temporary block removed
Sep 14 09:16:50 vps2 lfd[14864]: *Port Scan* detected from 185.217.180.189 (KZ/Kazakhstan/-). 11 hits in the last 35 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
Sep 14 09:55:12 vps2 lfd[21009]: pop3d - 121 logins in 3289 secs from 62.169.200.73 (GR/Greece/-) for support@milkplan.com exceeds 120/hour - *Blocked in csf* for 311 secs [LT_POP3D]
Sep 14 09:55:12 vps2 lfd[21009]: tracking email sent for support@milkplan.com
Why is that happening. exim_mainlog is supposed to be watched according to lfd.log.
Another thing is that this type of attacks change ips and it seems that i have to enable LF_DISTATTACK to catch them. Is that the correct approach?
Please help.
Thank you in advance.