pop3-login login failures not blocked after Dovecot upgrade

[WBA]

LFD doesn't seem to recognise pop3-login failures after upgrading to Dovecot 2.1.0

We are running Direct Admin current with Dovecot 2.1.0
/var/log# csf --version
csf: v5.46 (DirectAdmin)

These are the log entries that don't work now
Server1
Feb 22 11:21:39 bob1 dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=211.142.85.44, lip=192.194.199.1
Feb 22 11:21:47 bob1 dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<root>, method=PLAIN, rip=211.142.85.44, lip=192.194.199.1
Feb 22 11:21:47 bob1 dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<backuppc>, method=PLAIN, rip=211.142.85.44, lip=lip=192.194.199.1

Server2
Feb 21 19:42:38 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violet>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:38 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violeta>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<vinnie>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violet>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<vinnie>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<vinnie>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<viola>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violeta>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violeta>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192
Feb 21 19:42:39 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 10 secs): user=<violeta>, method=PLAIN, rip=117.21.127.39, lip=192.192.192.192


I reverted back to Dovecot 2.0.18
These log entries are picked up by LFD

Server1
Feb 22 12:58:40 bob1 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<test1>, method=PLAIN, rip=192.168.1.101, lip=192.194.199.1

Server2
Feb 22 12:52:57 bob2 dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<test>, method=PLAIN, rip=192.168.1.101, lip=192.192.192.192

This may not be a CSF a bug but more of a regex matching issue
Any response appreciated.
WBA

[chirpy]

We'll look at the change in log line format in a future release.

[WBA]

Thank you, works perfect now.

[workaholic]

@chirpy

It seems it doesn't work for me, any idea's?

Code: Select all

13303005010002   174.142.75.196   root   1   dovecot1   Feb 27 00:54:36 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<root>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303005010001   174.142.75.196   adrian   1   dovecot1   Feb 27 00:54:19 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<adrian>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303005010000   174.142.75.196   mateo   1   dovecot1   Feb 27 00:54:02 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<mateo>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303004410002   174.142.75.196   john   1   dovecot1   Feb 27 00:53:45 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<john>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303004410001   174.142.75.196   adrian   1   dovecot1   Feb 27 00:53:28 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<adrian>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303004410000   174.142.75.196   mihai   1   dovecot1   Feb 27 00:53:11 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<mihai>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003810003   174.142.75.196   besadmin   1   dovecot1   Feb 27 00:52:54 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<besadmin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003810002   174.142.75.196   besadmin   1   dovecot1   Feb 27 00:52:37 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<besadmin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003810001   174.142.75.196   backup   1   dovecot1   Feb 27 00:52:20 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<backup>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003810000   174.142.75.196   backup   1   dovecot1   Feb 27 00:52:03 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<backup>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003210002   174.142.75.196   alert   1   dovecot1   Feb 27 00:51:46 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<alert>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003210001   174.142.75.196   alert   1   dovecot1   Feb 27 00:51:29 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<alert>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303003210000   174.142.75.196   newsletter   1   dovecot1   Feb 27 00:51:12 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<newsletter>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002610003   174.142.75.196   newsletter   1   dovecot1   Feb 27 00:50:55 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<newsletter>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002610002   174.142.75.196   contact   1   dovecot1   Feb 27 00:50:38 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<contact>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002610001   174.142.75.196   contact   1   dovecot1   Feb 27 00:50:21 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<contact>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002610000   174.142.75.196   service   1   dovecot1   Feb 27 00:50:04 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<service>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002010002   174.142.75.196   service   1   dovecot1   Feb 27 00:49:47 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<service>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002010001   174.142.75.196   webmaster   1   dovecot1   Feb 27 00:49:30 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<webmaster>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303002010000   174.142.75.196   webmaster   1   dovecot1   Feb 27 00:49:13 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<webmaster>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303001410003   174.142.75.196   admin   1   dovecot1   Feb 27 00:48:56 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<admin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303001410002   174.142.75.196   admin   1   dovecot1   Feb 27 00:48:39 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<admin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303001410001   174.142.75.196   fax   1   dovecot1   Feb 27 00:48:22 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<fax>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303001410000   174.142.75.196   fax   1   dovecot1   Feb 27 00:48:05 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<fax>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000810002   174.142.75.196   administrator   1   dovecot1   Feb 27 00:47:48 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<administrator>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000810001   174.142.75.196   administrator   1   dovecot1   Feb 27 00:47:31 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<administrator>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000810000   174.142.75.196   postmaster   1   dovecot1   Feb 27 00:47:14 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<postmaster>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000210003   174.142.75.196   postmaster   1   dovecot1   Feb 27 00:46:57 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<postmaster>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000210002   174.142.75.196   info   1   dovecot1   Feb 27 00:46:40 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<info>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000210001   174.142.75.196   info   1   dovecot1   Feb 27 00:46:23 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<info>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13303000210000   174.142.75.196   spam   1   dovecot1   Feb 27 00:46:06 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<spam>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999610002   174.142.75.196   spam   1   dovecot1   Feb 27 00:45:49 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<spam>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999610001   174.142.75.196   test   1   dovecot1   Feb 27 00:45:32 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999610000   174.142.75.196   test   1   dovecot1   Feb 27 00:45:15 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999010003   174.142.75.196   besadmin   1   dovecot1   Feb 27 00:44:58 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<besadmin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999010002   174.142.75.196   natasha   1   dovecot1   Feb 27 00:44:41 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<natasha>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999010001   174.142.75.196   backup   1   dovecot1   Feb 27 00:44:24 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<backup>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302999010000   174.142.75.196   sms   1   dovecot1   Feb 27 00:44:07 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<sms>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302998410002   174.142.75.196   alert   1   dovecot1   Feb 27 00:43:50 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<alert>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302998410001   174.142.75.196   newsletter   1   dovecot1   Feb 27 00:43:33 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<newsletter>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302998410000   174.142.75.196   contact   1   dovecot1   Feb 27 00:43:16 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<contact>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302997810003   174.142.75.196   service   1   dovecot1   Feb 27 00:42:59 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<service>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302997810002   174.142.75.196   webmaster   1   dovecot1   Feb 27 00:42:42 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<webmaster>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1
13302997810001   174.142.75.196   admin   1   dovecot1   Feb 27 00:42:25 webserver dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 17 secs): user=<admin>, method=PLAIN, rip=174.142.75.196, lip=127.0.0.1

I have the following pop3 settings configured, but still being hammered by the same ip and csf/lfd are not blocking this ip.

Code: Select all

    # [*]Enable login failure detection of pop3 connections
    LF_POP3D = Default: 10 [0-20]
    LF_POP3D_PERM = Default: 1 [0-604800]

    # [*]Enable login failure detection of imap connections
    LF_IMAPD = Default: 10 [0-20]
    LF_IMAPD_PERM = Default: 1 [0-604800]

[chirpy]

Those are not dovecot logs from the actual log file, they appear to be an aggregated log, so we cannot comment. You have to post the actual lines from the real log file as the OP did above.