Search Our Database

How to check which email account cause IP address getting blocked using SSH (Directadmin)

Last updated on |
under
Educational, Email
|
by

Introduction

In certain situations, you may find that users are unable to access their webmail or website, which could indicate that their IP address has been blocked by the server’s firewall. This issue typically arises due to security measures in place to prevent unauthorized access or brute-force attacks. When login attempts repeatedly fail, either due to incorrect credentials or unauthorized access attempts, the server automatically blocks the IP address responsible to protect itself from potential threats.

For administrators managing servers with DirectAdmin, identifying the root cause of such blockages is crucial to restoring normal access. This often involves determining which email account triggered the block due to repeated failed authentication attempts. By using SSH to directly access the server, it becomes possible to analyze the mail logs and firewall rules to pinpoint which user or account caused the blockage.

This guide will provide a step-by-step approach for diagnosing this issue. It will show how to check if an IP address has been blocked and, more importantly, which email account is responsible for triggering the block. Understanding this process helps administrators quickly resolve IP blockages and avoid prolonged downtime for users. The ability to interpret log files and firewall activity ensures server security while maintaining smooth operations for legitimate users.

This article is intended for system administrators or anyone with root access to a server running DirectAdmin who needs to troubleshoot blocked IP addresses. By the end of this guide, you’ll be able to identify the email account causing the issue and take appropriate corrective action.

 

If you ever encounter unable to access webmail or website, chances are your IP address was getting blocked by the firewall of the server. In this knowledge based, we will show you steps to check which user was causing the blockage of the IP address for Directadmin.

 

Prerequisites

Before starting, ensure you have the following:

  • SSH access to the server with root privileges.
  • DirectAdmin installed on the server.
  • The IP address that is potentially blocked.

 

Step-by-step Guide

Step 1: Log into the Server via SSH

  • Use an SSH client to connect to your server. Ensure you have root access for full administrative privileges.
ssh root@your-server-ip

 

Step 2: Check if the IP Address is Blocked

  • To verify if the IP address is blocked or blacklisted, use one of the following commands:
iptables -nvL | grep <IP address>

or

csf -g <IP address>
  • These commands will search the firewall rules for the given IP address. Replace the <IP address> with your device IP. The output will indicate whether the IP is blocked.

 

Important Note: To check your device IP address, you may browse the website link What is My IP?

 

Example Output for iptables

pkts   bytes   target     prot opt in     out     source               destination
10     620     DROP       all  --  *      *       192.168.1.100        0.0.0.0/0

 

Example Output for csf

csf.deny: 192.168.1.100 # Manually denied: 192.168.1.100 - Thu Sep 28 12:34:56 2023
Chain INPUT (policy ACCEPT 100 packets, 5000 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      50   3000  DROP      all  --  *      *       192.168.1.100        0.0.0.0/0

 

Step 3: Identify the User Causing the Block

  • Once you’ve confirmed that the IP address is blocked, you can check which email account is causing the block by searching for failed login attempts in the mail logs. Run the following command:
grep -i "auth failed" /var/log/maillog | grep Disconnected | grep "@" | awk '{print $15,$17}' | uniq -c | sort -h
  • This command filters through the mail log to find failed authentication attempts, showing which email address and IP have caused multiple failed logins.

 

Step 4: Review the Output

  • The output of the above command will display the email addresses and associated IPs that have experienced repeated failed login attempts. This information is useful for determining the cause of the block.

Example Output:

3 user=user@example.com, rip=192.168.1.100
5 user=user2@example.com, rip=192.168.1.105
10 user=user3@example.com, rip=192.168.1.103
10 user=user4@example.com, rip=192.168.1.109
11 user=user5@example.com, rip=192.168.1.119
19 user=user6@example.com, rip=192.168.1.120

 

Step 5: Take Action

  • Once you’ve identified the problematic email account, instruct the user to ensure they are entering the correct password. Continuous incorrect logins will trigger the server’s firewall to block the IP, so fixing the credentials will prevent future blocks.

 

 

Conclusion

In this guide, you’ve learned how to identify which email account is causing an IP address to be blocked on a DirectAdmin server. By analyzing the mail logs for failed login attempts, you can resolve the issue by guiding users to enter the correct password.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts