Skip to primary content
Skip to secondary content

Incredigeek

Incredigeek

Main menu

  • Home
  • Linux
  • Ansible
  • Security
  • Ubiquiti
  • LibreNMS
  • Projects
    • Pangolin Whisper Web Interface
    • UBNTMOD
    • Email Tracker
    • IP Watt Meter
    • Grond : LUKS Password Cracker
  • Donate

Tag Archives: login

Troubleshooting email logins on cPanel/WHM

Posted on March 29, 2023 by admin
Reply

In this post we explore tracking down email logs relating to both Webmail and imap logins.

https://support.cpanel.net/hc/en-us/articles/1500012467681-How-To-List-Email-Login-History

ℹ️There are a few different logs that contain email logins.

/var/log/maillog      <-- IMAP Logins
/var/log/exim_mainlog <-- SMTP 
/usr/local/cpanel/logs/session_log  <-- Webmail logins, logouts, IP changes
/usr/local/cpanel/logs/login_log  <-- Failed webmail logins
/usr/local/cpanel/logs/cphulkd.log  <-- cphulk log 

Here are some notes on tracking down email logins on cPanel or WHM.

IMAP Logins

IMAP logins are fairly easy to track down. Check the /var/log/maillog

Follow the log

tail -f /var/log/maillog | grep email@address.com

Or search the whole log

grep "email@address.com" /var/log/maillog

RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server

Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>

Webmail Logins

You can also view some info about Webmail connections in the main mail log.

tail -f /var/log/maillog | grep email@address.com

or

grep "email@address.com" /var/log/maillog

When logged into webmail, the connection can look like the following.

Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166

Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>

Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in the session_log.

Use one of the following two commands to search the session log.

tail -f /usr/local/cpanel/logs/session_log
grep "email@address.com" /usr/local/cpanel/logs/session_log

The output should be similar to the following.

[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0

Notice it gives us the IP address of where the user signed in from.

You can also look at the /usr/local/cpanel/logs/access_log however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address. make sure the email is in double quotes. grep "email%40address.com" /usr/local/cpanel/logs/session_log

Details on the Session and Login logs.

The following are examples of a valid login, logout, and what happens when the IP changes.

The Login file will show failed login attempt.

If you receive a Binary file (standard input) matches error, try running grep with the -a option.

Valid Login

The following is what a valid webmail login looks like.

[2023-03-27 12:31:17 -0000] info [webmaild] 192.168.1.20 NEW email@address.com:1mt4zP_CjWYrHCaG address=192.168.1.20,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0

Logout

The following is the log entry when a user logs out.

[2023-03-27 12:31:21 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:1mt4zP_CjWYrHCaG logout

Change of IP address

If your computer swaps networks and the IP changes, you’ll see that show up in the log like the following. This can also happen if someone happened to steal the cookies, and has tried logging in from a different network. cPanel detects this, and logs both sessions out.

[2023-03-27 12:33:46 -0000] info [webmaild] 192.168.1.20 PURGE email@address.com:a513oaqb2f5845m2p badpass [cookie ip check: IP address has changed: IP Address [192.168.1.100] != Current IP Address [192.168.1.20]]

Note that this behavior can be changed in the WHM Tweak settings. “Cookie IP validation”

Validate the IP addresses used in all cookie-based logins. This will limit the ability of attackers who capture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum effectiveness, proxydomains should also be disabled. Strict validation requires the current IP address and the cookie IP address to exactly match. Loose validation only requires they are in the same /24.

Failed Webmail Logins

Failed webmail login attempts will show up in /usr/local/cpanel/logs/login_log

SMTP Logins

If you need to track down SMTP or IPs that are sending out emails, check out the /var/log/exim_mainlog

tail -f /var/log/exim_mainlog
grep "email@address.com" /var/log/exim_mainlog

Posted in cPanel | Tagged cpanel, imap, login, logins, security, webmail, whm | Leave a reply

Remotly reconfiguring AirMax device

Posted on September 27, 2019 by admin
Reply

Scenario: Remote device in a PTP configuration has been reset to factory defaults and is not connected.
Objective: Reconnect remote device and reconfigure using backup file

We’ll refer to Radio A as the radio you initially have access to
Radio B will be the remote radio that was reset.

Reinitiate temporary wireless connection

We know that the default Ubiquiti Wireless settings are
SSID=ubnt
Channel Width=20Mhz
Security=None

To reconnect the device wirelessly we can setup the Radio A as an AP with the above wireless settings.

Setup temporary network connection

Radio B should now connect wirelessly, but is going to be on a static 192.168.1.20 address. There are a handful of ways to overcome this.

  1. Setup a 192.168.1.x network and log into the device. If you are remote you may be able to setup that address range on the router and then ssh into the router or AP then ssh into the remote device
  2. Use a Mikrotik hotspot
  3. Use an SSH proxy

Configure remote device via SSH

Open up your backup file with a text editor and copy the whole config

Once access is gained to Radio B, open up the /tmp/system.cfg file, delete all the contents and paste in the contents of the backup configuration.

Save file and write changes to radio with

/usr/etc/rc.d/rc.softrestart save 

Final steps

The device should now apply the backup settings and disconnect again as it should now have the proper SSID and settings.

Restore Radio A’s settings and verify that both sides reconnect.

Posted in Ubiquiti | Tagged config, configuration, login, remote, ubiquiti, ubnt, wireless | Leave a reply

Check if Linux user is logged in

Posted on December 17, 2018 by admin
Reply

The following commands are helpful for seeing if a user is currently logged in, or when the last time a user was on.

Who

The “who” command give information about users that are currently logged in

[steve@localhost ~]$ who
root pts/0 2018-12-14 15:05 (192.168.1.23)
steve pts/2 2018-12-14 12:09 (192.168.1.25)
[steve@localhost ~]$

Last

The last command shows a list of the last logged in users

[steve@localhost ~]$ last
steve pts/2 192.168.1.25 Fri Dec 14 15:05 still logged in
root pts/1 192.168.1.23 Fri Dec 14 12:09 - 12:09 (00:00)
steve tty1 Thu Nov 8 10:02 - 10:15 (00:13)
reboot system boot 4.7.0.x Thu Nov 8 09:01 - 10:12 (01:01)
wtmp begins Tue Oct 11 09:01:57 2018
[steve@localhost ~]$

Posted in Command Line, Linux | Tagged last, linux, login, user, users, who | Leave a reply

If you do not want Ads, use a Adblocker.

Was the information helpful? Consider donating some Monero to keep fresh information coming!

Recent Blog Post

  • How to flash unsigned firmware on a Ubiquiti Airmax Radio
  • Ansible “PlayContext” error for RouterOS Community Collection
  • How to “Lock” docker version on RHEL / RockyLinux / AlmaLinux
  • Changing Ubiquiti Radio password from Command Line
  • How to Fix UISP “Application is loading. 1 min remaining…” Again… fluentd Error

  • 3D Printing
  • AI
  • Alienware
  • AMD
  • Android
  • Ansible
  • Apple
  • Arduino
  • Automation
  • Baicells
  • Cable
  • Cambium
  • CCNA
  • CentOS
  • Chia
  • cnPilot
  • Command Line
  • Computer Mods
  • cPanel
  • Cron
  • Crypto Currency
  • Debian
  • Dell
  • DNS
  • DNS
  • Drones
  • Email
  • Fedora
  • FreeBSD
  • Freeradius
  • GPU Crypto Hashrates
  • GrapheneOS
  • Hacking
  • Hackintosh
  • Hardening Guides
  • Information
  • Inkscape
  • Internet
  • JavaScript
  • Learning
  • Learning
  • LibreNMS
  • LineageOS
  • Linux
  • MacOS
  • Matrix
  • Mikrotik
  • Minecraft
  • Mining
  • MySQL
  • Nagios
  • Networking
  • Networking
  • Nvidia
  • Office
  • OS X
  • Playbooks
  • Plotman
  • Programming
  • PSU
  • Python
  • Random
  • Raspberry Pi
  • Recovery
  • RedHat
  • Reset Passwords
  • Scripts
  • Security
  • Slackware
  • SNMP
  • Stories
  • Tear Downs
  • Tips and Tricks
  • Ubiquiti
  • Ubiquiti Command Line
  • Ubuntu
  • Uncategorized
  • UniFi
  • UniFi Protect
  • UniFi Video
  • Unity3D
  • VIM
  • Virtualization
  • Visual Studio
  • VMware
  • Web
  • Web Browser
  • Windows
  • Windows 10
  • Windows 8
  • Wireless
  • Wireshark
  • WISP
  • WordPress
  • XenServer
  • Zenoss

android automation Backup bash centos command line cpanel crypto debian DNS docker email fedora firewall install javascript librenms linux microsoft mikrotik mining monitoring networking nms nvidia OS X password programming routeros script security snmp ssh ubiquiti ubnt ubuntu ui unifi unity unity3d upgrade whm Windows XenServer zenoss

Proudly powered by WordPress