Page 1 of 1

CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 05 Jan 2022, 11:56
by ServerDude
It seems that this stopped working between October and November with the most recent IMAP block being on 02 Dec 2021. I'm not sure if it's related to the CSF 14.15 update that was released on 04 Dec. Looks like it updated on 05 December. This is affecting all our Interworx servers.

These are my IMAP blocks.
LF_IMAPD = "10"
LF_IMAPD_PERM = "1"
IMAPD_LOG = "/var/log/dovecot/dovecot.log"
and INTERWORX = "1"

I see there have been some changes to the IMAP regexes but I don't see how these changes could've broken anything.

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 05 Jan 2022, 12:05
by ForumAdmin
It would help if you could provide an example log line that was not detected.

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 06 Jan 2022, 06:40
by ServerDude
Good Morning,

Below are the logs:

Jan 06 08:34:12 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<a0nhDuTUcqKl/yo5>
Jan 06 08:34:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<VHCQEOTUxC+l/yo5>
Jan 06 08:34:50 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<zkUjEeTU/Hql/yo5>
Jan 06 08:35:04 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<8yXuEeTUDnKl/yo5>
Jan 06 08:35:14 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<JvKTEuTUw92l/yo5>
Jan 06 08:35:23 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Zu4TE+TU8Iql/yo5>
Jan 06 08:35:31 imap-login: Info: Disconnected (auth failed, 1 attempts in 3 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<rNyJE+TUiO+l/yo5>
Jan 06 08:35:39 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<TEQJFOTUgfil/yo5>
Jan 06 08:35:47 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<aWKKFOTUl8el/yo5>
Jan 06 08:35:56 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=</I8HFeTUsFyl/yo5>
Jan 06 08:36:06 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<acmjFeTUpiql/yo5>
Jan 06 08:36:15 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<1G8wFuTUh+Cl/yo5>
Jan 06 08:36:24 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<F4y+FuTUwBGl/yo5>
Jan 06 08:36:32 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<Cd8uF+TU1Kil/yo5>
Jan 06 08:36:41 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<failedlogin@csf>, method=PLAIN, rip=<removed>, lip=<removed>, TLS: Connection closed, session=<iQa4F+TUQkCl/yo5>

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 11 Jan 2022, 12:33
by ServerDude
Good Afternoon,

I applied the older rules to regexcustom and failed IMAP and POP3 logins are now being blocked. After comparing the rules I see a number of changes here. I tested the rules and found that the grouping for $ip should be set to 10 in Regexmain. I've updated this in Regexmain on one of our other servers and successfully blocked myself. Rules below in the #dovecot section.

if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 11 Jan 2022, 12:37
by ServerDude
Here are the csf and lfd logs in case they're required:


lfd logs:
Jan 11 14:25:17 <hostname removed> lfd[936746]: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]
Jan 11 14:31:08 <hostname removed> lfd[946621]: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]

csf.deny:
<removed> # lfd: (imapd) Failed IMAP login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:25:17 2022
<removed> # lfd: (pop3d) Failed POP3 login from <removed> (<Region/IP.domain removed>): 10 in the last 3600 secs - Tue Jan 11 14:31:08 2022

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 19 Jan 2022, 12:07
by ServerDude
I don't seem to have a bump button.

Re: CSF not blocking failed IMAP and POP3 logins on Interworx (CSF 14.15)

Posted: 15 Oct 2022, 03:58
by pepsi
ServerDude wrote: 19 Jan 2022, 12:07 I don't seem to have a bump button.
do you fix this problem? I got this problem now...

Code: Select all

Oct 13 21:11:19 myserver dovecot[15276]: auth: passwd-file(admin@myserver.com,51.222.46.204,<7SHFPurqUIIz3i7M>): unknown user
Oct 13 21:11:21 myserver dovecot[15276]: imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 2 secs): user=<admin@myserver.com>, method=PLAIN, rip=51.222.46.204, lip=43.241.72.114, session=<7SHFPurqUIIz3i7M>