I frequently see authentication lfds that include an IP that looks like it might be on the local subnet for my server, followed by a second IP that is a remote IP, see for example below:
fixed_login authenticator failed for ([192.168.2.33]) [210.186.155.170]:1849
Is that 192.168 IP address something I might want to report to my vendor , perhaps an open relay or something like that? Thanks for a newbie question,
every time a connection is made to your server, the connection comes with some info that CSF gathers to show you, it could the name of the computer or terminal that connected to your server or in some cases the IP where the connection to your server originated.
So, the IP 190.168.2.33 refers to a computer that connected to your server, nothing to do with you or your server connections, you can't report this to your vendor but to report to your customer. Chances are that before the phrase "fixed_login authenticator" came an email address, check the domain on the address and report this to your customer.
If the email that comes on the error is not from any of your customers, then someone that tried to hack the email account is reported in that line.