Brute-Force Attack detected on exim2

hendr1x

Verified User
Joined
Jun 9, 2016
Messages
15
Hello everyone,
To start, I've read every article I could to help with this issue and every time an attack comes I put at least an hour into trying to figure out how to automate it...eventually giving up and just manually blocking the IP. I am currently running the newest Directadmin on a centos 6 box with csf/lfd.

I am constantly getting emails about "Brute-Force Attack detected" on exim2. All other services get protected properly however exim2 is simply not working. Does anyone have any way to help me figure out why it won't ban attacks on this service? Below is the respect parts of csf.conf. I would really appreciate any help you can provide.

Code:
###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "0"

# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"

# This option redirects outgoing SMTP connections destined for remote servers
# for non-bypass users to the local SMTP server to force local relaying of
# email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"

# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587"

# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"

# This option will only allow SMTP AUTH to be advertised to the IP addresses
# listed in /etc/csf/csf.smtpauth on EXIM mail servers
#
# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
# additionally restrict access to specific countries
#
# This is to help limit attempts at distributed attacks against SMTP AUTH which
# are difficult to achive since port 25 needs to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
# that the lookup file in /etc/exim.smtpauth is regenerated from the
# information from /etc/csf/csf.smtpauth plus any countries listed in
# CC_ALLOW_SMTPAUTH
#
# NOTE: To make this option work you MUST make the modifications to exim.conf
# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
# after enabling the option here, otherwise this option will not work
#
# To enable this option, set to 1 and make the exim configuration changes
# To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"



# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1800"



SMTPAUTH_LOG = "/var/log/exim/mainlog"
 
Here is a sample line from the mainlog

Code:
2018-06-11 05:31:09 login authenticator failed for (User) [185.51.207.82]: 535 Incorrect authentication data ([email protected])
 
Emails with the subject "Brute-Force Attack detected" are sent from Directadmin BFM: https://help.directadmin.com/item.php?id=549
 
dave097 you are correct, I am using CSF+LF

THe settings are

LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

I tried both


SMTPAUTH_LOG = "/var/log/exim/mainlog"
SMTPAUTH_LOG = "/var/log/exim/rejectlog"

with no change

[root@host csf]# cd /var/log/exim/
[root@host exim]# ls -l
total 840
-rw-r--r--. 1 mail mail 25033 Jun 18 08:55 mainlog
-rw-r--r--. 1 mail mail 96486 May 27 03:24 mainlog-20180527
-rw-r--r--. 1 mail mail 98431 Jun 3 00:15 mainlog-20180603
-rw-r--r--. 1 mail mail 77096 Jun 10 03:06 mainlog-20180610
-rw-r--r--. 1 mail mail 245412 Jun 17 03:01 mainlog-20180617
-rw-r--r--. 1 mail mail 0 Jun 17 03:32 paniclog
-rw-r--r--. 1 mail mail 0 May 20 03:25 paniclog-20180527
-rw-r--r--. 1 mail mail 0 May 27 03:33 paniclog-20180603
-rw-r--r--. 1 mail mail 0 Jun 3 03:44 paniclog-20180610
-rw-r--r--. 1 mail mail 0 Jun 10 03:08 paniclog-20180617
-rw-r--r--. 1 mail mail 0 Jun 17 03:32 processlog
-rw-r--r--. 1 mail mail 0 May 20 03:25 processlog-20180527
-rw-r--r--. 1 mail mail 0 May 27 03:33 processlog-20180603
-rw-r--r--. 1 mail mail 0 Jun 3 03:44 processlog-20180610
-rw-r--r--. 1 mail mail 0 Jun 10 03:08 processlog-20180617
-rw-r--r--. 1 mail mail 4011 Jun 18 08:01 rejectlog
-rw-r--r--. 1 mail mail 58908 May 27 03:24 rejectlog-20180527
-rw-r--r--. 1 mail mail 45555 Jun 2 21:09 rejectlog-20180603
-rw-r--r--. 1 mail mail 54723 Jun 10 03:06 rejectlog-20180610
-rw-r--r--. 1 mail mail 97949 Jun 17 03:01 rejectlog-20180617

The attacker was definitely hitting me about 100 times an hour+

Any ideas?
 
Back
Top