A possible BUG in CSF with LF_POP3D??

Sergio · Post by **Sergio** » 20 Dec 2006, 23:56

Hi,
just want to report somenthing that I am having in my CSF.

I have set LF_TRIGGER = 0, in order for me to set the cumulative failures in each of the following commands. So, I set the LF_POP3D = 20, but for some reazon it is not working.

Look at this print screen:

Code: Select all

Wed Dec 20 11:06:18 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 105 secs
Wed Dec 20 11:07:40 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 195 secs
Wed Dec 20 11:08:47 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 260 secs
Wed Dec 20 11:09:54 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 40 secs
Wed Dec 20 11:11:01 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 115 secs
Wed Dec 20 11:12:11 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 205 secs
Wed Dec 20 11:13:19 2006 lfd: Failed POP3 login from 189.165.74.10 - 4 failure(s) in the last 290 secs
Wed Dec 20 11:14:25 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 70 secs
Wed Dec 20 11:15:32 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 150 secs
Wed Dec 20 11:16:39 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 225 secs
Wed Dec 20 11:17:51 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 15 secs
Wed Dec 20 11:19:00 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 100 secs
Wed Dec 20 11:20:07 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 175 secs
Wed Dec 20 11:21:20 2006 lfd: Failed POP3 login from 189.165.74.10 - 4 failure(s) in the last 270 secs
Wed Dec 20 11:22:27 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 50 secs
Wed Dec 20 11:23:35 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 135 secs
Wed Dec 20 11:24:38 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 215 secs
Wed Dec 20 11:25:49 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 0 secs
Wed Dec 20 11:26:58 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 90 secs
Wed Dec 20 11:28:04 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 165 secs
Wed Dec 20 11:29:15 2006 lfd: Failed POP3 login from 189.165.74.10 - 4 failure(s) in the last 250 secs
Wed Dec 20 11:30:18 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 20 secs
Wed Dec 20 11:31:25 2006 lfd: Failed POP3 login from 189.165.74.10 - 2 failure(s) in the last 100 secs
Wed Dec 20 11:32:33 2006 lfd: Failed POP3 login from 189.165.74.10 - 3 failure(s) in the last 185 secs
Wed Dec 20 11:33:41 2006 lfd: Failed POP3 login from 189.165.74.10 - 4 failure(s) in the last 270 secs
Wed Dec 20 11:34:47 2006 lfd: Failed POP3 login from 189.165.74.10 - 1 failure(s) in the last 45 secs

It is more than 20 failures and CSF has not blocked the offending IP.

Regards,
Sergio

Post by **Sarah** » 21 Dec 2006, 08:59

What do you have LF_SELECT and LF_INTERVAL set to?

GetStacked · Post by **GetStacked** » 21 Dec 2006, 10:21

I am having the same issue.

LF_SELECT is set to 0
and
LF_INTERVAL is set to 300

It doesn't seem to be incrementing the login failures. My log file shows (ip modified of course):

Thu Dec 21 03:03:00 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 0 secs
Thu Dec 21 03:08:16 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 75 secs
Thu Dec 21 03:13:32 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 130 secs
Thu Dec 21 03:18:42 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 175 secs
Thu Dec 21 03:23:53 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 225 secs
Thu Dec 21 03:29:09 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 290 secs
Thu Dec 21 03:34:21 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 60 secs
Thu Dec 21 03:39:35 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 110 secs
Thu Dec 21 03:44:49 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 170 secs
Thu Dec 21 03:49:58 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 220 secs
Thu Dec 21 03:55:15 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 285 secs
Thu Dec 21 04:00:25 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 35 secs
Thu Dec 21 04:05:40 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 95 secs
Thu Dec 21 04:10:51 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 155 secs
Thu Dec 21 04:16:07 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 210 secs
Thu Dec 21 04:21:25 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 280 secs
Thu Dec 21 04:26:35 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 35 secs
Thu Dec 21 04:31:49 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 85 secs
Thu Dec 21 04:37:00 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 130 secs
Thu Dec 21 04:42:12 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 190 secs
Thu Dec 21 04:47:29 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 255 secs
Thu Dec 21 04:52:43 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 235 secs
Thu Dec 21 04:57:55 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 275 secs

I installed this on 2 servers tonight and it's working on one, but not the other. The only difference in the config is that the one it is not working on is a Monolithic Kernel and the one that is IS working on isn't. I don't think this would effect it, but I thought I would mention it since it is the only difference that I see.

Any help on this would be appreciated.

Thanks!
Scott

Post by **chirpy** » 21 Dec 2006, 11:16

GetStacked wrote:I am having the same issue.

LF_SELECT is set to 0
and
LF_INTERVAL is set to 300

It doesn't seem to be incrementing the login failures. My log file shows (ip modified of course):

Thu Dec 21 03:03:00 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 0 secs
Thu Dec 21 03:08:16 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 75 secs
Thu Dec 21 03:13:32 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 130 secs
Thu Dec 21 03:18:42 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 175 secs
Thu Dec 21 03:23:53 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 225 secs
Thu Dec 21 03:29:09 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 290 secs
Thu Dec 21 03:34:21 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 60 secs
Thu Dec 21 03:39:35 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 110 secs
Thu Dec 21 03:44:49 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 170 secs
Thu Dec 21 03:49:58 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 220 secs
Thu Dec 21 03:55:15 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 285 secs
Thu Dec 21 04:00:25 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 35 secs
Thu Dec 21 04:05:40 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 95 secs
Thu Dec 21 04:10:51 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 155 secs
Thu Dec 21 04:16:07 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 210 secs
Thu Dec 21 04:21:25 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 280 secs
Thu Dec 21 04:26:35 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 35 secs
Thu Dec 21 04:31:49 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 85 secs
Thu Dec 21 04:37:00 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 130 secs
Thu Dec 21 04:42:12 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 190 secs
Thu Dec 21 04:47:29 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 255 secs
Thu Dec 21 04:52:43 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 235 secs
Thu Dec 21 04:57:55 2006 lfd: Failed POP3 login from 70.162.XX.XXX - 1 failure(s) in the last 275 secs

I installed this on 2 servers tonight and it's working on one, but not the other. The only difference in the config is that the one it is not working on is a Monolithic Kernel and the one that is IS working on isn't. I don't think this would effect it, but I thought I would mention it since it is the only difference that I see.

Any help on this would be appreciated.

Thanks!
Scott

That's actually correct. Look at the log times. They're happening 5 minutes apart and the interval for login failures is set to 300 seconds = 5 minutes. The count is reset every 300 seconds which is why it doesn't go above 1.

The original post is likely to be the same reason.

GetStacked · Post by **GetStacked** » 21 Dec 2006, 13:22

Ah... I was looking at the times on the right (1 failure(s) in the last 130 secs, etc) not the stamp on their check. Tunnel vision I guess :-)

Anyway... this is the best add on I have seen for cpanel! It's a 1000 times better than APF.

Thanks for this!

Sergio · Post by **Sergio** » 16 Jan 2007, 10:51

Sorry I didn´t write back on this.

Thankyou Sarah and Jonathan, after I set LF_INTERVAL it worked real nice, it was my fault.

Regards,
Sergio