ConfigServer Community Forum

My server was hit with brute force pop3 logins from one IP continually for about 17 hours until I blocked it. The server maillog registered 41,161 entries for the IP for these hours.

I don't know why this was not blocked automatically by the server but this is the settings for blocking brute force pop3:

LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_POP3D = 10
LF_POP3D_PERM = 1
POP3D_LOG = /var/log/maillog (cPanel Centos 6)

I would need help with this if it's available please.

It might depend upon what you are using as the POP3 / IMAP server.

I installed CSF on our servers over the weekend. Noticed that some things did get blocked correctly (like CERTAIN FTP attempts) but others didn't.

In the end, I had to add items to the custom.regex.pm file and create new regex entries to battle others.

As an example, the FTP regexes would catch anything for "SECURITY VIOLATION" but wouldn't stop those fishing for user accounts - "no user found". So I had to create a regex for that.

Also noted that the IMAP and POP3 stuff wasn't working today - so I had to create a couple regexes for those. Then I tested and ensured they were blocking.

Thank you for this advice, it was very helpful.