An issue with CSF/LFD and Imunify360
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Nick Texidor
  2. Friday, 29 June 2018
  3.  Subscribe via email
Hi, I have run into a small issue with Imunify360 when running with CSF/LDF. Sorry for the long message, but I wanted to include logs too....

I received 200 emails from LFD between the hours of 3.49am and 4.20am this morning. Each email contained 5 cPanel Failed Login Attempts.


1) We send all CSF blocks out to a cluster of servers, which is confirmed working via the lfd.log:

Jun 29 03:49:43 blah lfd[3195254]: (cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs - *Blocked in csf* [LF_CPANEL]
Jun 29 03:49:44 blah lfd[3195278]: Cluster: DENY 185.94.188.23 sent to xx.xx.xx.xx (AU/Australia/blah.blahblah.net)
Jun 29 03:49:44 blah lfd[3195278]: Cluster: DENY 185.94.188.23 sent to xx.xx.xx.xx (AU/Australia/blah2.blahblah.net)
Jun 29 03:49:44 blah lfd[3195278]: Cluster: DENY 185.94.188.23 sent to xx.xx.xx.xx (AU/Australia/blah3.blahblah.net)


2) Two Cluster Members (non-Imunify servers), confirmed that the block was received at the correct time:

185.94.188.23 # lfd: Cluster member blah (AU/Australia/blah.blahblah.net) said, DENY 185.94.188.23, Reason:[(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs] - Fri Jun 29 03:49:45 2018

185.94.188.23 # lfd: Cluster member blah (AU/Australia/blah.blahblah.net) said, DENY 185.94.188.23, Reason:[(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs] - Fri Jun 29 03:49:46 2018


3) The server in question, shows the following in the Imunify360 Console Log:

imunify360/console.log:INFO [2018-06-29 03:49:38,236] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:37 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208178.227749}
imunify360/console.log:INFO [2018-06-29 03:49:38,245] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy - [06/28/2018:17:49:35 -0000] "GET / HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208178.2283244}
imunify360/console.log:INFO [2018-06-29 03:49:38,251] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:37 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208178.228597}
imunify360/console.log:INFO [2018-06-29 03:49:40,236] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:38 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208180.2287655}
imunify360/console.log:INFO [2018-06-29 03:49:40,245] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:39 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208180.2290764}
imunify360/console.log:INFO [2018-06-29 03:49:40,250] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:38 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208180.2292852}
imunify360/console.log:INFO [2018-06-29 03:49:40,256] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:39 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208180.2294416}
imunify360/console.log:INFO [2018-06-29 03:49:42,241] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:41 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208182.2307231}
imunify360/console.log:INFO [2018-06-29 03:49:42,253] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:40 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208182.2425356}
imunify360/console.log:INFO [2018-06-29 03:49:44,242] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:42 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208184.232724}
imunify360/console.log:INFO [2018-06-29 03:49:44,252] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:43 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208184.233089}
imunify360/console.log:INFO [2018-06-29 03:49:44,258] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:42 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208184.2333097}
imunify360/console.log:INFO [2018-06-29 03:49:44,269] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:43 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208184.2335644}
imunify360/console.log:INFO [2018-06-29 03:49:46,241] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:44 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208186.2347157}
imunify360/console.log:INFO [2018-06-29 03:49:46,244] defence360agent.internals.the_sink: Rejected: CSF is running -> SensorAlert:{'plugin_id': 'ossec', 'method': 'ALERT', 'attackers_ip': IPv4Network('185.94.188.23/32'), 'rule': 11004, 'user': 'befreman', 'timestamp': 1530208186.2353258}
imunify360/console.log:INFO [2018-06-29 03:49:46,251] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:45 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 10, 'name': 'Possible breaking attempt on cpanel service', 'rule': 11004, 'timestamp': 1530208186.2352602}
imunify360/console.log:INFO [2018-06-29 03:49:46,258] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:44 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208186.2426414}
imunify360/console.log:INFO [2018-06-29 03:49:46,264] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:45 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208186.2428517}
imunify360/console.log:INFO [2018-06-29 03:49:46,547] defence360agent.internals.the_sink: SensorIncident:{'message': '(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs', 'name': 'LF_CPANEL', 'plugin_id': 'lfd', 'method': 'INCIDENT', 'ttl': '1', 'attackers_ip': '185.94.188.23', 'rule': 'LF_CPANEL', 'timestamp': 1530208186.541757}
imunify360/console.log:INFO [2018-06-29 03:49:46,549] defence360agent.plugins.protector.lfd: Unblocking 185.94.188.23/32 in CSF before adding to graylist
imunify360/console.log:INFO [2018-06-29 03:49:47,649] defence360agent.plugins.protector.lazy_init: IP 185.94.188.23/32 is BLOCKED in graylist with 2592000 sec (expiration: 1532800187) (due to SensorAlert)
imunify360/console.log:INFO [2018-06-29 03:49:47,657] defence360agent.internals.the_sink: SensorAlert:{'message': '(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs', 'name': 'LF_CPANEL', 'plugin_id': 'lfd', 'method': 'ALERT', 'ttl': '1', 'attackers_ip': IPv4Network('185.94.188.23/32'), 'rule': 'LF_CPANEL', 'timestamp': 1530208186.541757}
imunify360/console.log:INFO [2018-06-29 03:49:48,244] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:47 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208188.2365706}
imunify360/console.log:INFO [2018-06-29 03:49:48,250] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208188.2369468}
imunify360/console.log:INFO [2018-06-29 03:49:48,476] defence360agent.plugins.protector.lazy_init: IP 185.94.188.23/32 is BLOCKED in graylist with 1800.0 sec (expiration: 1532800187) (due to ServerPush)
imunify360/console.log:INFO [2018-06-29 03:49:48,508] defence360agent.internals.the_sink: ServerPush:{'__debug__': {'class_name': 'BlockForGroups'}, 'attackers_ip': IPv4Network('185.94.188.23/32'), 'method': 'BLOCK', 'timeout': {'expiration': 1530209988, 'deep': 1, 'ttl': 1800.0, 'no_captcha': False}, 'properties': {'expiration': 1530209988, 'deep': 1, 'ttl': 1800.0, 'no_captcha': False}}
imunify360/console.log:INFO [2018-06-29 03:49:50,246] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:48 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208190.238551}
imunify360/console.log:INFO [2018-06-29 03:49:50,253] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:49 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208190.2388957}
imunify360/console.log:INFO [2018-06-29 03:49:50,259] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:47 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208190.2390957}
imunify360/console.log:INFO [2018-06-29 03:49:50,267] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:49 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208190.2399578}
imunify360/console.log:INFO [2018-06-29 03:49:51,181] defence360agent.internals.the_sink: SensorIncidentList:{'method': 'INCIDENT_LIST', 'list': [{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:49 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'retries': 12, 'severity': 5, 'attackers_ip': IPv4Network('185.94.188.23/32'), 'name': 'Web server 400 error code.', 'domain': None, 'rule': 31101, 'timestamp': 1530208190.2399578}, {'plugin_id': 'lfd', 'message': '(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs', 'retries': 1, 'severity': None, 'attackers_ip': IPv4Network('185.94.188.23/32'), 'name': 'LF_CPANEL', 'domain': None, 'rule': 'LF_CPANEL', 'timestamp': 1530208186.541757}, {'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:49 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'retries': 10, 'severity': 5, 'attackers_ip': IPv4Network('185.94.188.23/32'), 'name': 'Login failed on the cpanel service', 'domain': None, 'rule': 11000, 'timestamp': 1530208190.2388957}, {'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:45 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'retries': 1, 'severity': 10, 'attackers_ip': IPv4Network('185.94.188.23/32'), 'name': 'Possible breaking attempt on cpanel service', 'domain': None, 'rule': 11004, 'timestamp': 1530208186.2352602}]}
imunify360/console.log:INFO [2018-06-29 03:49:52,247] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:50 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208192.2408829}
imunify360/console.log:INFO [2018-06-29 03:49:52,253] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:52 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208192.2412126}
imunify360/console.log:INFO [2018-06-29 03:49:52,259] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:50 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208192.2413776}
imunify360/console.log:INFO [2018-06-29 03:49:52,268] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:51 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208192.2415526}
imunify360/console.log:INFO [2018-06-29 03:49:54,249] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:53 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208194.243628}
imunify360/console.log:INFO [2018-06-29 03:49:54,257] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:53 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208194.2503633}
imunify360/console.log:INFO [2018-06-29 03:49:56,248] defence360agent.internals.the_sink: Rejected: CSF is running -> SensorAlert:{'plugin_id': 'ossec', 'method': 'ALERT', 'attackers_ip': IPv4Network('185.94.188.23/32'), 'rule': 11004, 'user': 'befreman', 'timestamp': 1530208196.244956}
imunify360/console.log:INFO [2018-06-29 03:49:56,258] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:54 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Login failed on the cpanel service', 'rule': 11000, 'timestamp': 1530208196.2445617}
imunify360/console.log:INFO [2018-06-29 03:49:56,263] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '[2018-06-29 03:49:55 +1000] info [cpaneld] 185.94.188.23 - befreman "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: access denied for root, reseller, and user password', 'attackers_ip': '185.94.188.23', 'severity': 10, 'name': 'Possible breaking attempt on cpanel service', 'rule': 11004, 'timestamp': 1530208196.2448802}
imunify360/console.log:INFO [2018-06-29 03:49:56,269] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:54 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208196.2453}
imunify360/console.log:INFO [2018-06-29 03:49:56,275] defence360agent.internals.the_sink: SensorIncident:{'plugin_id': 'ossec', 'message': '185.94.188.23 proxy befreman [06/28/2018:17:49:55 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "-" "-" "-" "X-Forwarded-For: 185.94.188.23" 443', 'attackers_ip': '185.94.188.23', 'severity': 5, 'name': 'Web server 400 error code.', 'rule': 31101, 'timestamp': 1530208196.270217}
imunify360/console.log:INFO [2018-06-29 03:49:56,291] defence360agent.internals.the_sink: SensorIncident:{'message': '(cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs', 'name': 'LF_CPANEL', 'plugin_id': 'lfd', 'method': 'INCIDENT', 'ttl': '1', 'attackers_ip': '185.94.188.23', 'rule': 'LF_CPANEL', 'timestamp': 1530208196.2854989}
imunify360/console.log:INFO [2018-06-29 03:49:56,293] defence360agent.plugins.protector.lfd: Unblocking 185.94.188.23/32 in CSF before adding to graylist
imunify360/console.log:INFO [2018-06-29 03:49:57,298] defence360agent.plugins.protector.lazy_init: IP 185.94.188.23/32 is BLOCKED in graylist with 2592000 sec (expiration: 1532800197) (due to SensorAlert)


Summary

There appears to be an issue whereby Imunify servers are removing the CSF block, but NOT re-blocking it quickly enough. Once the IP address appears in the graylist, should they no longer be able to post to the login page? If so, why did it take half an hour to finally get onto the graylist?

It concerns me that 1000 brute force attempts were made before Imunify blocked this IP address on the server in question, while the CSF Cluster Servers had him locked out within 5 attempts.

Is this something to be concerned about?
Rate this post:
  1. 05.07.2018 05:07:54
  2. # 1
Timur Irmatov Accepted Answer
Posts: 3
Joined: 24.11.2017
0
Votes
Undo
Hi,

Here is the log line you provide where IP address in question was first blocked by LFD:

Jun 29 03:49:43 blah lfd[3195254]: (cpanel) Failed cPanel login from 185.94.188.23 (NL/Netherlands/-): 5 in the last 3600 secs - *Blocked in csf* [LF_CPANEL]

This is log line from imunify360 confirming that block:

imunify360/console.log:INFO [2018-06-29 03:49:47,649] defence360agent.plugins.protector.lazy_init: IP 185.94.188.23/32 is BLOCKED in graylist with 2592000 sec (expiration: 1532800187) (due to SensorAlert)

This is the last line that you provide from imunify360 log:

imunify360/console.log:INFO [2018-06-29 03:49:57,298] defence360agent.plugins.protector.lazy_init: IP 185.94.188.23/32 is BLOCKED in graylist with 2592000 sec (expiration: 1532800197) (due to SensorAlert)

It seems that imunify360 has blocked that IP address 4 seconds after it was blocked by LFD. It may be that your server is under significant load or that there are many security related events and there is some accumulation of messages in imunify360, which may explain why there are still log lines about this IP address after it was blocked.

If you need further assistance/ confirmation feel free to open up a support ticket.
  1. 17.07.2018 23:07:39
  2. # 2
Nick Texidor Accepted Answer
Posts: 0
Joined: 24.08.2019
0
Votes
Undo
Thanks Timur,

Yes, I can see those log lines, and was aware that Imunify360 had attempted to block the IP address, the fact is, it hadn't. This wasn't a load issue. We are a hosting company and monitor our servers all the time.

From what I could see, and remember, the IP address was added to the gray list, but the attacker continued to get through to the server, and continued to brute force the site he was attacking.

I will keep a close eye on the logs and emails, and will gather all relevant information when it happens again, so I can raise a support ticket. I have one from last night, but that was on a much smaller scale, it took about a minute to get blocked, and LFD reported about 50 attempts in that time, sending about 8 emails.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.