Often a client will get their IP address blocked on CSF (http://configserver.com/cp/csf.html). The blocked messages will tell you why it was blocked, however it’s usually quite vague stating it was blocked for failed passwords to the POP3 server. What it doesn’t tell you however is which account caused the block.
Here is my cheat sheet for finding more detail as to why exactly it was blocked.
cPanel / WHM / Webmail
If you see an entry like this in CSF:
csf.deny: 123.123.123.123 # lfd: (cpanel) Failed cPanel login from 123.123.123.123 (US/United States/c-123-123-123-123.somedomain.net): 5 in the last 3600 secs – Wed Jun 11 15:55:47 2014
This could mean they failed to authenticate on cPanel, WHM, or Webmail. To check which it was, run the following command:
grep 123.123.123.123 /usr/local/cpanel/logs/login_log
When you run this, you’ll get output that looks like this:
123.123.123.123 – someemail@address.com [08/28/2013:12:56:02 -0000] “GET /cpsess8206284687/horde/index.php HTTP/1.1” DEFERRED LOGIN webmaild: security token incorrect
123.123.123.123 – someuser [01/14/2015:21:07:22 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN cpaneld: invalid cpanel user someuser (loadcpdata failed)
123.123.123.123 – someuser [01/15/2015:03:54:34 -0000] “POST /login/?login_only=1 HTTP/1.1” FAILED LOGIN whostmgrd: user password incorrect
The first result mentions webmaild, so this means it was Webmail they tried to login to with the wrong password.
The second result specifically mentions cpanel, so this is cpanel they tried to login to with the wrong password
The third result says whostmgrd. whostmgrd is the only one that isn’t obvious. This is the WHM.
Pop3 or IMAP
If you see errors like this:
123.123.123.123 # lfd: (pop3d) Failed POP3 login from 123.123.123.123 (DE/Germany/some-reverse-dns-info-here): 10 in the last 3600 secs – Tue Jan 13 10:15:36 2015
123.123.123.123 # lfd: (imapd) Failed IMAP login from 123.123.123.123 (US/United States/some-reverse-dns-info-here): 10 in the last 3600 secs – Tue Jan 13 21:31:16 2015
Run this command:
grep 123.123.123.123 /var/log/maillog | grep -i fail
Returns this
Jan 13 10:15:32 server1 pop3d: LOGIN FAILED, user=username, ip=[::ffff:123.123.123.123
OR:
Jan 13 07:04:00 server1 imapd-ssl: LOGIN FAILED, user=someusername@somedomain.com, ip=[::ffff:123.123.123.123]
The first one shows the client tried to login as just “username” to the pop3 server and it failed.
The second shows that they tried to login as “someusername@somddomain.com” to the IMAP server and it failed.
SMTP
If you see this:
123.123.123.123 # lfd: (smtpauth) Failed SMTP AUTH login from 123.123.123.123 (US/United States/ some-reverse-dns.com): 5 in the last 3600 secs – Thu Jun 12 08:28:56 2014
Run this command:
grep 123.123.123.123 /var/log/exim_mainlog | grep set_id
You’ll see output like this:
2014-06-12 08:28:47 courier_plain authenticator failed for some-reverse-dns.com ([123.123.123.123]) [123.123.123.123]:4900: 535 Incorrect authentication data (set_id=someemail@address.com)
This shows that the user tried to authenticate to the SMTP server using the username someemail@address.com, but failed to authenticate
Now that you know what exactly the customer did wrong, you can let them know, so they do not keep doing it, and getting themselves re-blacklisted once you remove the block against their IP address.