Page 1 of 1
cPanel 11.24 - cphulk failed login attempts to account
Posted: 27 Nov 2008, 11:36
by avio
failed login attempts to account xx (system) -- Large number of attempts from this IP
Getting a ton of these emails from cphulk because the server might be under attack, however these login attempts aren't be detected by CSF and blocked. Sometimes a single IP, we need up with 8000+ emails.. and sometimes its multiple ips in the same block range.. however CSF isn't picking up anything. I believe this may be dovecot installation on cpanel with so many users attacking it.
Posted: 28 Nov 2008, 10:31
by chirpy
It's probably a change in the dovecot log lines which require a tweak to the regex. I'll look into it when I get the chance to try out the latest dovecot installation by cPanel.
Posted: 29 Nov 2008, 00:34
by isputra
avio wrote:failed login attempts to account xx (system) -- Large number of attempts from this IP
Getting a ton of these emails from cphulk because the server might be under attack, however these login attempts aren't be detected by CSF and blocked. Sometimes a single IP, we need up with 8000+ emails.. and sometimes its multiple ips in the same block range.. however CSF isn't picking up anything. I believe this may be dovecot installation on cpanel with so many users attacking it.
I have the same problem as above and now i have to disable cpHulk and let CSF to handle everything.
Posted: 29 Nov 2008, 21:03
by avio
Disabling cphulk isn't a good idea since CSF is not able to detect these login failures as of right now.
Posted: 03 Dec 2008, 12:36
by avio
still getting login failure attempts on cphulk even with csf v4.24 and no detection with CSF.
Posted: 04 Dec 2008, 18:01
by chirpy
The regex was tested on the latest CURRENT build. If you could paste in the login failure lines for dovecot that you're seeing in POP3D_LOG (usually /var/log/maillog) then I'll see how your logging differs.
Posted: 06 Dec 2008, 20:02
by avio
2152540: Dec 6 05:37:14 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.239
2152541: Dec 6 05:37:14 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.237
2152543: Dec 6 05:37:16 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=, method=PLAIN, rip=75.126.184.139, lip=75.126.127.237
Here it is, just got about 3000 login attemp failures multiplied by 10 because every 10 login attempts an email is sent, and i got 3000 emails
Posted: 07 Dec 2008, 17:27
by chirpy
I'll have an expanded regex to cater for these failures as well in the next release.
Posted: 11 Dec 2008, 05:06
by tshosting
Hi Chirpy I have, twice now, getting thousands of cphuld emails to my mailbox. This morning there was about 22,000 emails.
This is one of the lines from the log
Code: Select all
Dec 11 06:15:44 stanley cphulkd[10685]: Connection service=system ip=203.210.192.154 port= user=lucia blocked by cphulkd (IP Address listed as brute)
Could you please help out with a regex for this.