Results 1 to 12 of 12
  1. #1
    Join Date
    Aug 2006
    Location
    Bangalore
    Posts
    385

    Question Urgent! CSF IP block due to repeated login failure

    Hi,

    I have a dedicated box and one of my client regularly types wrong password most of the time and due to which IP gets blocked and He cannot login.

    Problem what i see:

    1. They type wrong password on webmail.
    2. They have a wrong setup which tries to login using mobile/tablets.

    Once its unblocked it works for them and suddenly IP gets blocked due to repeated failures (i doubt this may be through mobile/tablets).

    Since they have several mail ids, My customer asks me to block only email account which tries to wrongly login and not the entire domain or IP.

    Can this be done? Or any alternative solutions?

    Kindly assist.

    Thanks,
    Puneetha

  2. #2
    If he connects from a static IP, you could just add it to csf.ignore so he wont be locked out no matter how many login failures he makes.
    Managed cPanel & DirectAdmin Dedicated Servers
    D9 Solutions Ltd - Hosting Over 20,000 Websites Since 2007
    Servers in the USA, UK & Amsterdam
    Premium Shared, Reseller, VPS and Dedicated Servers

  3. #3
    Join Date
    Aug 2006
    Location
    Bangalore
    Posts
    385
    Quote Originally Posted by Dant27 View Post
    If he connects from a static IP, you could just add it to csf.ignore so he wont be locked out no matter how many login failures he makes.
    Since they use broadband.. IP is dynamic. Ignoring or allowing whole subnet might be a risk isnt it? That's compromising security. I didn't explain him.. but this is what i got in reply:

    When u said you reset our mail server and unlocked it worked for just half a day on Friday. Then again, MAIL SERVER IS NOT WORKING.

    Please work on a permanent solution. Again for one person entering wrong password SHOULD NOT AFFECT all others. Whomsoever, apply wrong password, let it affect ONLY THEM AND NOT THE ENTIRE COMPANY!!

  4. #4
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,636
    Not that you should do this, but you can always disable IP blocking completely. As long as you have good password policies in place so users cannot set stupid passwords such as "password" or something, you most likely won't have any issues.
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  5. #5
    Join Date
    Nov 2013
    Location
    India
    Posts
    66
    Hi, We can easliy track the exat mail id that is using wrong passwords frequently. We have to check the mail authentication logs in detail, we can spot out the email id and public ip. Are you having any kind of control panels installed in your server ? If yes let me know. I will let you know the exact log file that need to be checked
    Nisamudeen Plackal, CEO HostCurator
    ------------------------

  6. #6
    Join Date
    Aug 2006
    Location
    Bangalore
    Posts
    385
    Quote Originally Posted by hostcurator View Post
    Hi, We can easliy track the exat mail id that is using wrong passwords frequently. We have to check the mail authentication logs in detail, we can spot out the email id and public ip. Are you having any kind of control panels installed in your server ? If yes let me know. I will let you know the exact log file that need to be checked
    Thank you. We are using cPanel/WHM.

  7. #7
    Join Date
    Nov 2013
    Location
    India
    Posts
    66

    Thumbs up

    Thank you. We are using cPanel/WHM
    Hi,

    If you are using cpanel then sorting the user which is frequently entering wrong passwors is easier. All the authentication logs are being saved in the file "/var/log/maillog". This log file contains IMAP, POP login attempts, transactions, fatal errors and spam scoring. Please verify from your side.

  8. #8
    Join Date
    Dec 2007
    Location
    LocalHost
    Posts
    1,317
    Add your client's IP in whitelist of cPHulk and CSF firewall.
    If he is on dynamic IP, you can add IP range. Like to allow IP range 111.111.xxx.xxx use following pattern
    Code:
    111.111.0.0/16
    YagHost - Fast Reliable Hosting Since 2009
    Managed VPS - NVMe DirectAdmin
    Web Hosting - NVMe SSD, AMD EPYC, 10 Gbps (US, Europe, Singapore)

  9. #9
    Join Date
    Aug 2007
    Location
    L.A., CA
    Posts
    3,710
    Tell him to stop hiring idiots who keep getting his IP blocked. It's for his own security after all that the IP is being blocked.
    He can also upgrade to a STATIC IP from his ISP at his office. If he is at an office, he shouldn't be using residential broadband / internet anyways and most business Internet comes with static IP - even if he has residential, it might be possible to ask for static IP; then you can whitelist his static IP.
    It sounds like he's doing multiple things wrong, and as a business owner, he is also responsible for ensuring he is doing things correctly technically on HIS end for security and best business practices.

    It's not your fault that you are following good security rules and procedures.
    EasyDCIM.com - DataCenter Infrastructure Management - HELLO DEDICATED SERVER & COLO PROVIDERS! - Reach Me: chris@easydcim.com
    Bandwidth Billing | Inventory & Asset Management | Server Control
    Order Forms | Reboots | IPMI Control | IP Management | Reverse&Forward DNS | Rack Management

  10. #10
    Join Date
    Dec 2013
    Location
    England
    Posts
    182
    Are you using a billing solution, if you are using WHMCS there is a addon for client like this, http://www.whmcs.com/members/communi...viewmod&id=598

  11. #11
    Join Date
    Aug 2007
    Location
    Los Angeles, CA
    Posts
    28
    For problem #1, you could increase the setting for option "Maximum Failures By Account" and "Maximum Failures Per IP:". I believe the default is 15.

    1. On WHM, find the section for cPHulk Brute Force Protection


    In addition, if they are running a business, suggest them to sign up for a STATIC IP on their place of business so you can safely whitelist it on the server. Remind them that the server is always under attack by hackers and you're simply protecting it; hackers want to use the server to distribute illegal software, music, porn or any other online criminal activities. blah blah

    And make sure you're getting alerts when either csf or cPHulk is blocking an ip.

  12. #12
    Join Date
    Nov 2013
    Posts
    182
    Quote Originally Posted by The Pro Host View Post
    Are you using a billing solution, if you are using WHMCS there is a addon for client like this, http://www.whmcs.com/members/communi...viewmod&id=598
    wow, thanks for this. good idea

Similar Threads

  1. Repeated brute force attempts to login to my server ,Is this normal ?
    By Tonyit in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-09-2013, 10:55 AM
  2. Urgent: Need a quick way to BLOCK all China (yes i have csf)
    By GeorgRauh in forum Hosting Security and Technology
    Replies: 15
    Last Post: 04-09-2013, 01:03 PM
  3. Repeated attempts at FTP login from IP range..
    By sarsh11 in forum Dedicated Server
    Replies: 10
    Last Post: 12-16-2010, 06:30 AM
  4. Firefox block due to malware attack - how to know before it happen
    By sprakas4 in forum Hosting Security and Technology
    Replies: 3
    Last Post: 03-30-2010, 02:16 PM
  5. Lost all my data due to hard drive failure
    By jjk2 in forum Dedicated Server
    Replies: 45
    Last Post: 01-22-2010, 09:11 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •