Page 1 of 1
LFD not permanently blocking system login failures
Posted: 09 Mar 2016, 10:51
by masimo
What I experience is that LFD sends emails on login failures. When there are FTP of SMTP login failures, the IP's are also automatically blocked permanently. But on SYSTEM login failures not.
We do receive the same emails from LFD on all login failures, it's just that I have to manually block all IP's related to system login failures.
Am I overseeing a setting somewhere? Please advice.
My current "Temp to Perm/Netblock Settings":
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL = 3600
LF_PERMBLOCK_COUNT = 3
LF_PERMBLOCK_ALERT = 1
Re: LFD not permanently blocking system login failures
Posted: 09 Mar 2016, 13:28
by masimo
For example:
Time: Wed Mar 9 16:28:22 2016 +0330
IP: 67.***.***.103 (CA/Canada/-)
Failures: 5 (cpanel)
Interval: 300 seconds
Blocked: Temporary Block
Log entries:
[2016-03-09 16:28:20 +0330] info [cpsrvd] 67.***.***.103 - golnoor "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user golnoor (loadcpdata failed)
[2016-03-09 16:28:20 +0330] info [cpsrvd] 67.***.***.103 - gsmbarta "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user gsmbarta (loadcpdata failed)
[2016-03-09 16:28:20 +0330] info [cpsrvd] 67.***.***.103 - golnoor "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user golnoor (loadcpdata failed)
[2016-03-09 16:28:20 +0330] info [cpsrvd] 67.***.***.103 - gsmbarta "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user gsmbarta (loadcpdata failed)
[2016-03-09 16:28:21 +0330] info [cpsrvd] 67.***.***.103 - hshekaro "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user hshekaro (loadcpdata failed)
67.***.***.103 temporary Blocked 4 times 16:28:22, 16:33:28, 16:38:33 and 16:43:38
But after 4 times temporary is not blocked as permanently.
Re: LFD not permanently blocking system login failures
Posted: 11 Mar 2016, 07:23
by Elizine
Check the settings under "Temp to Perm/Netblock Settings" and "Login Failure Blocking and Alerts".