Localhost 127.0.0.1 banned itself

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ashtec014
Normal user
Normal user
Posts: 192
Joined: 2019-09-05 11:56

Localhost 127.0.0.1 banned itself

Post by ashtec014 » 2021-09-14 08:42

Hi,

I've notice this long time ago and thought its okay because the priority of my localhost is above 100. However, I've seen this many times on the logs and looks like it happens more often.

I examined the logs yesterday and a local email address banned itself. I've removed this email already as it is no longer needed.

Code: Select all

11424	"2021-09-13 19:26:01.795"	"Failed login for email@mydomain.com from 127.0.0.1 on port 993"
I can't found anything on the logs that initiated login attempt at that time:

Code: Select all

"TCPIP"	8688	"2021-09-13 19:25:58.341"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG"	8688	"2021-09-13 19:25:58.341"	"Executing event OnClientConnect"
"DEBUG"	6036	"2021-09-13 19:25:58.670"	"Reading messages from database."
"DEBUG"	11424	"2021-09-13 19:25:59.107"	"Reading messages from database."
"DEBUG"	8688	"2021-09-13 19:26:01.670"	"Event completed"
"DEBUG"	8688	"2021-09-13 19:26:01.670"	"TCP connection started for session 3632"
"DEBUG"	8688	"2021-09-13 19:26:01.670"	"Performing SSL/TLS handshake for session 3632. Verify certificate: False"
"TCPIP"	9564	"2021-09-13 19:26:01.701"	"TCPConnection - TLS/SSL handshake completed. Session Id: 3632, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256"
"DEBUG"	11424	"2021-09-13 19:26:01.779"	"Executing event OnClientLogon"
"DEBUG"	11424	"2021-09-13 19:26:01.795"	"Event completed"
"DEBUG"	11424	"2021-09-13 19:26:01.795"	"Ending session 3632"
"DEBUG"	8688	"2021-09-13 19:26:14.785"	"Pre-creating session 3634"
Any idea why this happened? Thank you.

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 08:48

What do you mean with "banned itself"? Your log says nothing about a ban...
993 = IMAP = webmail?
ashtec014 wrote:
2021-09-14 08:42
I can't found anything on the logs that initiated login attempt at that time:
You can not find it? It is right there :!:
What is on OnClientLogon?

Code: Select all

"DEBUG"	11424	"2021-09-13 19:26:01.779"	"Executing event OnClientLogon"
"DEBUG"	11424	"2021-09-13 19:26:01.795"	"Event completed"
followed by "Failed login for email@mydomain.com from 127.0.0.1 on port 993"

Geez, what possibly could be wrong :?: :!:
Last edited by RvdH on 2021-09-14 08:55, edited 1 time in total.
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ashtec014
Normal user
Normal user
Posts: 192
Joined: 2019-09-05 11:56

Re: Localhost 127.0.0.1 banned itself

Post by ashtec014 » 2021-09-14 08:54

RvdH wrote:
2021-09-14 08:48
What do you mean with "banned itself"? Your log says nothing about a ban...
993 = IMAP = webmail?

What is on OnClientLogon?
I am referring to this:
Image

993 is IMAPS for webmail and for other mail clients.

OnClientLogon here's the code:

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		EventLog.Write("Successful login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
	Else
		EventLog.Write("Failed login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
	End if
End Sub

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 09:00

It is a failed login (probably at the webmail) attempt that triggers autoban
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ashtec014
Normal user
Normal user
Posts: 192
Joined: 2019-09-05 11:56

Re: Localhost 127.0.0.1 banned itself

Post by ashtec014 » 2021-09-14 09:02

RvdH wrote:
2021-09-14 09:00
It is a failed login (probably at the webmail) attempt that triggers autoban
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
I was suspecting the same that it could be from webmail as it is being hosted on the same machine. Is it safe to just ignore it?

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 09:06

Yeah, you can pretty much ignore that

Roundcube? You can cross check the login attempts

Code: Select all

// Log successful logins to <log_dir>/userlogins or to syslog
$config['log_logins'] = true;
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ashtec014
Normal user
Normal user
Posts: 192
Joined: 2019-09-05 11:56

Re: Localhost 127.0.0.1 banned itself

Post by ashtec014 » 2021-09-14 09:15

RvdH wrote:
2021-09-14 09:06
Yeah, you can pretty much ignore that
I will do. Thank you so much.
RvdH wrote:
2021-09-14 09:06
Roundcube? You can cross check the login attempts

Code: Select all

// Log successful logins to <log_dir>/userlogins or to syslog
$config['log_logins'] = true;
I've checked my roundcube logs to counter check the time of attempts but no info related to the email address.

palinka
Senior user
Senior user
Posts: 2888
Joined: 2017-09-12 17:57

Re: Localhost 127.0.0.1 banned itself

Post by palinka » 2021-09-14 12:00

RvdH wrote:
2021-09-14 09:00
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.

User avatar
mattg
Moderator
Moderator
Posts: 21615
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Localhost 127.0.0.1 banned itself

Post by mattg » 2021-09-14 13:08

palinka wrote:
2021-09-14 12:00
RvdH wrote:
2021-09-14 09:00
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.
Probably not actually

The autoban happened becuase a user got user name + password wrong a number of times
Could have been a bot, could be a forgetful user (or one with caps lock turned on)

The same user trying again with correct username and password will still get connected

(Also because the auto ban is 100, this poster is using 5.7)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2888
Joined: 2017-09-12 17:57

Re: Localhost 127.0.0.1 banned itself

Post by palinka » 2021-09-14 13:15

mattg wrote:
2021-09-14 13:08
palinka wrote:
2021-09-14 12:00
RvdH wrote:
2021-09-14 09:00
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.
Probably not actually
Probably not what? Whenever i get a password wrong in an app or script that tries multiple times, i have to go in and remove the autoban before the correct password will authenticate.

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 13:16

mattg wrote:
2021-09-14 13:08
palinka wrote:
2021-09-14 12:00
RvdH wrote:
2021-09-14 09:00
But as your "My computer" range is higher (eg: 125) that autoban range in reality is NOT banned
But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.
Probably not actually

The autoban happened becuase a user got user name + password wrong a number of times
Could have been a bot, could be a forgetful user (or one with caps lock turned on)

The same user trying again with correct username and password will still get connected
Was about to say the same :lol:
Last edited by RvdH on 2021-09-14 13:41, edited 2 times in total.
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 13:18

palinka wrote:
2021-09-14 13:15
mattg wrote:
2021-09-14 13:08
palinka wrote:
2021-09-14 12:00


But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.
Probably not actually
Probably not what? Whenever i get a password wrong in an app or script that tries multiple times, i have to go in and remove the autoban before the correct password will authenticate.
IP range overrules autoban here, so if the ip range priority for 127.0.0.1 is higher then the autoban priority a login attempt from that ip is not banned
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
katip
Senior user
Senior user
Posts: 951
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Localhost 127.0.0.1 banned itself

Post by katip » 2021-09-14 13:28

PMFJI,
interesting case.
same IP range, one with 100 other with 125 priority. ok, HMS reads from higher to lower etc.
but what if both were same priority? block or pass?
IMO same range multiple times shouldn't be accepted whatever their priority are. what can it be good for?
//EDIT: ok, understood "IP range overrules autoban here, so if the ip range priority for 127.0.0.1 is higher then the autoban priority a login attempt from that ip is not banned", so IP range supercedes ban range.
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Localhost 127.0.0.1 banned itself

Post by SorenR » 2021-09-14 13:35

palinka wrote:
2021-09-14 13:15
mattg wrote:
2021-09-14 13:08
palinka wrote:
2021-09-14 12:00


But the user *is* banned. The autoban must be removed or expired before the user can log in. No other users are affected on that ip range.
Probably not actually
Probably not what? Whenever i get a password wrong in an app or script that tries multiple times, i have to go in and remove the autoban before the correct password will authenticate.
Are you sure you are using the same software we do?

When my clients fuck up and their phone/pc get their IP banned they can still use my webmail to logon.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2888
Joined: 2017-09-12 17:57

Re: Localhost 127.0.0.1 banned itself

Post by palinka » 2021-09-14 14:50

SorenR wrote:
2021-09-14 13:35
palinka wrote:
2021-09-14 13:15
mattg wrote:
2021-09-14 13:08


Probably not actually
Probably not what? Whenever i get a password wrong in an app or script that tries multiple times, i have to go in and remove the autoban before the correct password will authenticate.
Are you sure you are using the same software we do?

When my clients fuck up and their phone/pc get their IP banned they can still use my webmail to logon.
Challenge accepted! Results after dog walk. :mrgreen:

palinka
Senior user
Senior user
Posts: 2888
Joined: 2017-09-12 17:57

Re: Localhost 127.0.0.1 banned itself

Post by palinka » 2021-09-14 16:29

palinka wrote:
2021-09-14 14:50
SorenR wrote:
2021-09-14 13:35
palinka wrote:
2021-09-14 13:15


Probably not what? Whenever i get a password wrong in an app or script that tries multiple times, i have to go in and remove the autoban before the correct password will authenticate.
Are you sure you are using the same software we do?

When my clients fuck up and their phone/pc get their IP banned they can still use my webmail to logon.
Challenge accepted! Results after dog walk. :mrgreen:
I stand corrected.

Procedure: using webmail, enter incorrect password 3 times to trigger autoban. Then enter correct password. Result: was able to log in.

I guess those times I had to remove the autoban were due to IP on the internet range... :oops: I misremembered....

User avatar
RvdH
Senior user
Senior user
Posts: 1621
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Localhost 127.0.0.1 banned itself

Post by RvdH » 2021-09-14 17:40

palinka wrote:
2021-09-14 16:29
palinka wrote:
2021-09-14 14:50
SorenR wrote:
2021-09-14 13:35


Are you sure you are using the same software we do?

When my clients fuck up and their phone/pc get their IP banned they can still use my webmail to logon.
Challenge accepted! Results after dog walk. :mrgreen:
I stand corrected.

Procedure: using webmail, enter incorrect password 3 times to trigger autoban. Then enter correct password. Result: was able to log in.

I guess those times I had to remove the autoban were due to IP on the internet range... :oops: I misremembered....
Now try to enter incorrect password 3 times and then enter incorrect password 3 times more and see the correct password is irrelevant :mrgreen:

disable roundcube's build-in Brute-force attacks prevention

Code: Select all

// Brute-force attacks prevention.
// The value specifies maximum number of failed logon attempts per minute.
$config['login_rate_limit'] = 0;
Last edited by RvdH on 2021-09-14 17:42, edited 1 time in total.
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2888
Joined: 2017-09-12 17:57

Re: Localhost 127.0.0.1 banned itself

Post by palinka » 2021-09-14 17:42

RvdH wrote:
2021-09-14 17:40
palinka wrote:
2021-09-14 16:29
palinka wrote:
2021-09-14 14:50


Challenge accepted! Results after dog walk. :mrgreen:
I stand corrected.

Procedure: using webmail, enter incorrect password 3 times to trigger autoban. Then enter correct password. Result: was able to log in.

I guess those times I had to remove the autoban were due to IP on the internet range... :oops: I misremembered....
Now try to enter incorrect password 3 times and then enter incorrect password 3 times more and see the correct password is irrelevant :mrgreen:
Get vaxxed. :mrgreen:

User avatar
katip
Senior user
Senior user
Posts: 951
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Localhost 127.0.0.1 banned itself

Post by katip » 2021-09-14 20:32

RvdH wrote:
2021-09-14 13:18
IP range overrules autoban here, so if the ip range priority for 127.0.0.1 is higher then the autoban priority a login attempt from that ip is not banned
sorry that i come back to my question but it's still not clear to me.
in fact, IP ranges and ban ranges are same things, they're kept in same table, have same options.
in OPs case i understand that 127.0.0.1-127.0.0.1 has 2 entries, banning one with lower priority than the other, as a result ineffective. that's ok.

what if both had same priority? and does it make sense that HMS keeps 2 or more identical IP ranges with different priorities while only the highest applies?
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

User avatar
SorenR
Senior user
Senior user
Posts: 4826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Localhost 127.0.0.1 banned itself

Post by SorenR » 2021-09-14 21:28

katip wrote:
2021-09-14 20:32
RvdH wrote:
2021-09-14 13:18
IP range overrules autoban here, so if the ip range priority for 127.0.0.1 is higher then the autoban priority a login attempt from that ip is not banned
sorry that i come back to my question but it's still not clear to me.
in fact, IP ranges and ban ranges are same things, they're kept in same table, have same options.
in OPs case i understand that 127.0.0.1-127.0.0.1 has 2 entries, banning one with lower priority than the other, as a result ineffective. that's ok.

what if both had same priority? and does it make sense that HMS keeps 2 or more identical IP ranges with different priorities while only the highest applies?
As long as the "name" is different you can have 1,000,000 identical ranges. That is one of the first things you observe from installing a webmail with a high priority ;-)
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
katip
Senior user
Senior user
Posts: 951
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Localhost 127.0.0.1 banned itself

Post by katip » 2021-09-15 08:00

SorenR wrote:
2021-09-14 21:28
As long as the "name" is different you can have 1,000,000 identical ranges. That is one of the first things you observe from installing a webmail with a high priority ;-)
good :D
useless i mean, except the one on top.
Katip
--
HMS 5.7.0, MariaDB 10.4.10, SA 3.4.2, ClamAV 0.103.2

Post Reply