Troubleshooting email logins on cPanel/WHM

Posted on March 29, 2023 by admin

Here are some notes on tracking down email logins on cPanel or WHM.

IMAP Logins

IMAP logins are fairly easy to track down. Check the /var/log/maillog

Follow the log

tail -f /var/log/maillog | grep email@address.com

Or search the whole log

grep "email@address.com" /var/log/maillog

RIP = Remote IP. That is the public IP address of your client
LIP = Local IP is the IP address of the WHM/cPanel mail server

Mar 27 12:30:51 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=192.168.1.2, lip=192.168.1.10, mpid=1234567, TLS, session=<Q2sNAb3Q4OgkYXBa>

Webmail Logins

Can also view some info about Webmail connections

tail -f /var/log/maillog | grep email@address.com

grep "email@address.com" /var/log/maillog

When logged into webmail, the connection can look like the following.

Mar 27 12:31:17 host dovecot[207411]: imap(email@address.com)<1234567>: Disconnected: Logged out in=148, out=1166, bytes=148/1166

Mar 29 16:41:30 host dovecot[207411]: imap-login: Login: user=<email@address.com>, method=PLAIN, rip=::1, lip=::1, mpid=1234567, secured, session=<1uP1h3vD3as3AAAAAAAAAAAAAAAAAAAAB>

Notice the rip and lip are both ::1, IPv6 localhost. Looks like Webmail is creating a local connection to the server to authenticate and pull the email. This makes tracking down where an actual person signed in from a little harder. The connection still gets logged, it’s just in a different log.

use one of the following two commands to search the session log

tail /usr/local/cpanel/logs/session_log -f

grep "email@address.com" /var/log/maillog

The output should be similar to the following

[2023-03-27 12:31:17 -0500] info [webmaild] 192.168.1.11 NEW email@address.com:A3WnodOlnxn1gq05 address=192.168.1.11,app=webmaild,creator=email@address.com,method=handle_form_login,path=form,possessed=0

Notice it gives us the IP address of where the user signed in from.

You could also look at the “/usr/local/cpanel/logs/access_log” however the @ sign is percent encoded “%40”. That could cause issues if you are trying to grep out the email address.

Remotly reconfiguring AirMax device

Posted on September 27, 2019 by admin

Scenario: Remote device in a PTP configuration has been reset to factory defaults and is not connected.
Objective: Reconnect remote device and reconfigure using backup file

We’ll refer to Radio A as the radio you initially have access to
Radio B will be the remote radio that was reset.

Reinitiate temporary wireless connection

We know that the default Ubiquiti Wireless settings are
SSID=ubnt
Channel Width=20Mhz
Security=None

To reconnect the device wirelessly we can setup the Radio A as an AP with the above wireless settings.

Setup temporary network connection

Radio B should now connect wirelessly, but is going to be on a static 192.168.1.20 address. There are a handful of ways to overcome this.

Setup a 192.168.1.x network and log into the device. If you are remote you may be able to setup that address range on the router and then ssh into the router or AP then ssh into the remote device
Use a Mikrotik hotspot
Use an SSH proxy

Configure remote device via SSH

Open up your backup file with a text editor and copy the whole config

Once access is gained to Radio B, open up the /tmp/system.cfg file, delete all the contents and paste in the contents of the backup configuration.

Save file and write changes to radio with

/usr/etc/rc.d/rc.softrestart save

Final steps

The device should now apply the backup settings and disconnect again as it should now have the proper SSID and settings.

Restore Radio A’s settings and verify that both sides reconnect.

Check if Linux user is logged in

Posted on December 17, 2018 by admin

The following commands are helpful for seeing if a user is currently logged in, or when the last time a user was on.

Who

The “who” command give information about users that are currently logged in

[steve@localhost ~]$ who
root   pts/0        2018-12-14 15:05 (192.168.1.23)
steve  pts/2        2018-12-14 12:09 (192.168.1.25)
[steve@localhost ~]$

Last

The last command shows a list of the last logged in users

[steve@localhost ~]$ last
steve    pts/2        192.168.1.25    Fri Dec 14 15:05   still logged in
root     pts/1        192.168.1.23    Fri Dec 14 12:09 - 12:09  (00:00)
steve       tty1                      Thu Nov  8 10:02 - 10:15  (00:13)
reboot   system boot  4.7.0.x         Thu Nov  8 09:01 - 10:12  (01:01)
wtmp begins Tue Oct 11 09:01:57 2018
[steve@localhost ~]$