Author Topic: Failed pop3 logins not blocked  (Read 12285 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Failed pop3 logins not blocked
« on: May 05, 2017, 02:42:10 PM »
I see that failed pop3 logins are logged in /var/log/dovecot-info.log, not in maillog as it was set in CSF:

May 05 15:20:13 pop3-login: Info: Disconnected (auth failed, 1 attempts): user=<webmaster@domain.tld>, method=PLAIN, rip=IP, lip=IP

I've changed the POP3D_LOG to =/var/log/dovecot-info.log, but failed logins are not blocked by CSF.

Offline
***
Re: Failed pop3 logins not blocked
« Reply #1 on: May 06, 2017, 06:30:21 AM »
edit /etc/csf/csf.conf, find these lines, and make modification so will look lithe this

Code: [Select]
CUSTOM1_LOG = "/var/log/maillog"
CUSTOM2_LOG = "/var/log/cwp_client_login.log"
CUSTOM3_LOG = "/var/log/dovecot-info.log"

and you can replace the whole content of your current /etc/csf/regex.custom.pm  with code bellow.

Code: [Select]
#!/usr/bin/perl
sub custom_line {
        my $line = shift;
        my $lgfile = shift;
# Do not edit before this point

#Postfix/smtpd SASL authentication failure
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","5","25,465,587","3600");
}

# CWP Login failure
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
    return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","3600");
}

# POP3 Brute force
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /\S+\s+\d+\s+\S+ pop3-login: Info: (Aborted login|Disconnected)( \(auth failed, \d+ attempts\):)? user=<\S*>, method=\S+, rip=(\S+),/)) {
return ("POP3 bruteforce login from",$3,"pop3-login","5","110,995","3600");
}

# Do not edit beyond this point
        return 0;
}
1;

Offline
*
Re: Failed pop3 logins not blocked
« Reply #2 on: May 06, 2017, 11:35:07 AM »
Thanks Jae, I already have the SASL rule set up, I needed one for failed pop3 & IMAP logins.
« Last Edit: May 06, 2017, 12:01:04 PM by Dan11 »

Offline
***
Re: Failed pop3 logins not blocked
« Reply #3 on: May 07, 2017, 12:41:04 AM »
pls look my post carefully, its contain regex to catch pop3 login failure..

i dont bother to catch imap login failure, as it very small rate/none and mostly come from roundcube/webmail which is detected from 127.0.0.1

Offline
*
Re: Failed pop3 logins not blocked
« Reply #4 on: May 07, 2017, 02:13:13 PM »
I've seen your regex for pop3. That's why I thanked you.