How to prevent exim attack

mohammad.983

Verified User
Joined
Jun 26, 2015
Messages
35
Hi guys.
I used DA with CSF. but I got some brute force attacks. All of them related to exim. for example:
IP 62.210.157.140 has 100 failed login attempts: exim2=100
How can I config my DA or CSF to solve this problem?
 
Normally if you use the DA setup from CSF this will be automatically setup correctly.
Check that the logs are set this way:
Code:
SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

Also check if your block configuration is setup correctly, this is an example:
Code:
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "14400"

# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

# [*]Enable login failure detection of pop3 connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "7"
LF_POP3D_PERM = "14400"

# [*]Enable login failure detection of imap connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "7"
LF_IMAPD_PERM = "14400"
 
We have users that his IP address always is in deny list with the following error

Jun 8 09:07:19 lh014 lfd[6275]: (eximsyntax) Exim syntax errors from 1xxxxx (Ixxxxx of/xxx-xxx-165-213.xxxx): 10 in the last 3600 secs - *Blocked in csf* [LF_EXIMSYNTAX]

How can I know what caused the problem?
 
Hello,

Grep lines with their IP from /var/log/exim/mainlog and see what might be wrong.
 
Tried:

SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

and also tried:

SMTPAUTH_LOG = "/var/log/exim/mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

but brute force attacks continue. CSF not blocking.

Get the following messages: (and similar with other users)

User jon has 148 failed login attempts: exim2=148

I can see the failed login attempts for user 'jon' inside both:

/var/log/exim/rejectlog
/var/log/exim/mainlog

yet the IP address of those login attempts is not blocked.

Csf is running. Perhaps there is a setting that I am missing inside csf.conf ?
 
Back
Top