CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post Reply
ServerDude
Junior Member
Posts: 6
Joined: 16 Sep 2021, 10:41

CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ServerDude »

It seems that this stopped working between October and November with the most recent IMAP block being on 02 Dec 2021. I'm not sure if it's related to the CSF 14.15 update that was released on 04 Dec. Looks like it updated on 05 December. This is affecting all our Interworx servers.

These are my IMAP blocks.
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
IMAPD_LOG = "/var/log/dovecot/dovecot.log"
and INTERWORX = "1"

I see there have been some changes to the IMAP regexes but I don't see how these changes could've broken anything.
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ForumAdmin »

It would help if you could provide an example log line that was not detected.
ServerDude
Junior Member
Posts: 6
Joined: 16 Sep 2021, 10:41

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ServerDude »

Good Morning,

Below are the logs:

Jan 06 08:34:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<a0nhDuTUcqKl/yo5>
Jan 06 08:34:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<VHCQEOTUxC+l/yo5>
Jan 06 08:34:50 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<zkUjEeTU/Hql/yo5>
Jan 06 08:35:04 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<8yXuEeTUDnKl/yo5>
Jan 06 08:35:14 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<JvKTEuTUw92l/yo5>
Jan 06 08:35:23 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Zu4TE+TU8Iql/yo5>
Jan 06 08:35:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 3 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<rNyJE+TUiO+l/yo5>
Jan 06 08:35:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<TEQJFOTUgfil/yo5>
Jan 06 08:35:47 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<aWKKFOTUl8el/yo5>
Jan 06 08:35:56 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=</I8HFeTUsFyl/yo5>
Jan 06 08:36:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<acmjFeTUpiql/yo5>
Jan 06 08:36:15 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<1G8wFuTUh+Cl/yo5>
Jan 06 08:36:24 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<F4y+FuTUwBGl/yo5>
Jan 06 08:36:32 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Cd8uF+TU1Kil/yo5>
Jan 06 08:36:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<iQa4F+TUQkCl/yo5>
ServerDude
Junior Member
Posts: 6
Joined: 16 Sep 2021, 10:41

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ServerDude »

Good Afternoon,

I applied the older rules to regexcustom and failed IMAP and POP3 logins are now being blocked. After comparing the rules I see a number of changes here. I tested the rules and found that the grouping for $ip should be set to 10 in Regexmain. I've updated this in Regexmain on one of our other servers and successfully blocked myself. Rules below in the #dovecot section.

if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
ServerDude
Junior Member
Posts: 6
Joined: 16 Sep 2021, 10:41

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ServerDude »

Here are the csf and lfd logs in case they're required:


lfd logs:
Jan 11 14:25:17 <hostname removed> lfd[936746]: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]
Jan 11 14:31:08 <hostname removed> lfd[946621]: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]

csf.deny:
<removed> # lfd: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:25:17 2022
<removed> # lfd: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:31:08 2022
ServerDude
Junior Member
Posts: 6
Joined: 16 Sep 2021, 10:41

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by ServerDude »

I don't seem to have a bump button.
pepsi
Junior Member
Posts: 12
Joined: 07 Oct 2022, 12:14

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Post by pepsi »

ServerDude wrote: 19 Jan 2022, 12:07 I don't seem to have a bump button.
do you fix this problem? I got this problem now...

Code: Select all

Oct 13 21:11:19 myserver dovecot[15276]: auth: passwd-file(admin@myserver.com,51.222.46.204,<7SHFPurqUIIz3i7M>): unknown user
Oct 13 21:11:21 myserver dovecot[15276]: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<admin@myserver.com>, method=PLAIN, rip=51.222.46.204, lip=43.241.72.114, session=<7SHFPurqUIIz3i7M>
Post Reply