Results 1 to 6 of 6

Thread: Brute-Force Attack detected on exim2

  1. #1
    Join Date
    Jun 2016
    Posts
    10

    Brute-Force Attack detected on exim2

    Hello everyone,
    To start, I've read every article I could to help with this issue and every time an attack comes I put at least an hour into trying to figure out how to automate it...eventually giving up and just manually blocking the IP. I am currently running the newest Directadmin on a centos 6 box with csf/lfd.

    I am constantly getting emails about "Brute-Force Attack detected" on exim2. All other services get protected properly however exim2 is simply not working. Does anyone have any way to help me figure out why it won't ban attacks on this service? Below is the respect parts of csf.conf. I would really appreciate any help you can provide.

    Code:
    ###############################################################################
    # SECTION:SMTP Settings
    ###############################################################################
    # Block outgoing SMTP except for root, exim and mailman (forces scripts/users
    # to use the exim/sendmail binary instead of sockets access). This replaces the
    # protection as WHM > Tweak Settings > SMTP Tweaks
    #
    # This option uses the iptables ipt_owner/xt_owner module and must be loaded
    # for it to work. It may not be available on some VPS platforms
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    SMTP_BLOCK = "0"
    
    # If SMTP_BLOCK is enabled but you want to allow local connections to port 25
    # on the server (e.g. for webmail or web scripts) then enable this option to
    # allow outgoing SMTP connections to the loopback device
    SMTP_ALLOWLOCAL = "1"
    
    # This option redirects outgoing SMTP connections destined for remote servers
    # for non-bypass users to the local SMTP server to force local relaying of
    # email. Such email may require authentication (SMTP AUTH)
    SMTP_REDIRECT = "0"
    
    # This is a comma separated list of the ports to block. You should list all
    # ports that exim is configured to listen on
    SMTP_PORTS = "25,465,587"
    
    # Always allow the following comma separated users and groups to bypass
    # SMTP_BLOCK
    #
    # Note: root (UID:0) is always allowed
    SMTP_ALLOWUSER = ""
    SMTP_ALLOWGROUP = "mail,mailman"
    
    # This option will only allow SMTP AUTH to be advertised to the IP addresses
    # listed in /etc/csf/csf.smtpauth on EXIM mail servers
    #
    # The additional option CC_ALLOW_SMTPAUTH can be used with this option to
    # additionally restrict access to specific countries
    #
    # This is to help limit attempts at distributed attacks against SMTP AUTH which
    # are difficult to achive since port 25 needs to be open to relay email
    #
    # The reason why this works is that if EXIM does not advertise SMTP AUTH on a
    # connection, then SMTP AUTH will not accept logins, defeating the attacks
    # without restricting mail relaying
    #
    # Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
    # that the lookup file in /etc/exim.smtpauth is regenerated from the
    # information from /etc/csf/csf.smtpauth plus any countries listed in
    # CC_ALLOW_SMTPAUTH
    #
    # NOTE: To make this option work you MUST make the modifications to exim.conf
    # as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
    # after enabling the option here, otherwise this option will not work
    #
    # To enable this option, set to 1 and make the exim configuration changes
    # To disable this option, set to 0 and undo the exim configuration changes
    SMTPAUTH_RESTRICT = "0"
    
    
    
    #[*]Enable login failure detection of SMTP AUTH connections
    LF_SMTPAUTH = "5"
    LF_SMTPAUTH_PERM = "1800"
    
    
    
    SMTPAUTH_LOG = "/var/log/exim/mainlog"

  2. #2
    Join Date
    Jun 2016
    Posts
    10
    Here is a sample line from the mainlog

    Code:
    2018-06-11 05:31:09 login authenticator failed for (User) [185.51.207.82]: 535 Incorrect authentication data (set_id=smtp@removed.com)

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,039
    Directadmin BFM by default does not block anything, it only detects and informs.

    If you want to get IPs by BFM you need to manually install a set of scripts.

    related:

    - https://help.directadmin.com/item.php?id=527
    - https://forum.directadmin.com/showthread.php?t=44839

  4. #4
    Join Date
    May 2014
    Posts
    76
    Quote Originally Posted by zEitEr View Post
    Directadmin BFM by default does not block anything, it only detects and informs.

    If you want to get IPs by BFM you need to manually install a set of scripts.

    related:

    - https://help.directadmin.com/item.php?id=527
    - https://forum.directadmin.com/showthread.php?t=44839
    He uses CSF/LFD Are the requests executed 5 times within 30 minutes? Which values ​has this options:

    LF_EXIMSYNTAX =
    LF_EXIMSYNTAX_PERM =

  5. #5
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    12,039
    Emails with the subject "Brute-Force Attack detected" are sent from Directadmin BFM: https://help.directadmin.com/item.php?id=549

  6. #6
    Join Date
    Jun 2016
    Posts
    10
    dave097 you are correct, I am using CSF+LF

    THe settings are

    LF_EXIMSYNTAX = "10"
    LF_EXIMSYNTAX_PERM = "1"

    I tried both


    SMTPAUTH_LOG = "/var/log/exim/mainlog"
    SMTPAUTH_LOG = "/var/log/exim/rejectlog"

    with no change

    [root@host csf]# cd /var/log/exim/
    [root@host exim]# ls -l
    total 840
    -rw-r--r--. 1 mail mail 25033 Jun 18 08:55 mainlog
    -rw-r--r--. 1 mail mail 96486 May 27 03:24 mainlog-20180527
    -rw-r--r--. 1 mail mail 98431 Jun 3 00:15 mainlog-20180603
    -rw-r--r--. 1 mail mail 77096 Jun 10 03:06 mainlog-20180610
    -rw-r--r--. 1 mail mail 245412 Jun 17 03:01 mainlog-20180617
    -rw-r--r--. 1 mail mail 0 Jun 17 03:32 paniclog
    -rw-r--r--. 1 mail mail 0 May 20 03:25 paniclog-20180527
    -rw-r--r--. 1 mail mail 0 May 27 03:33 paniclog-20180603
    -rw-r--r--. 1 mail mail 0 Jun 3 03:44 paniclog-20180610
    -rw-r--r--. 1 mail mail 0 Jun 10 03:08 paniclog-20180617
    -rw-r--r--. 1 mail mail 0 Jun 17 03:32 processlog
    -rw-r--r--. 1 mail mail 0 May 20 03:25 processlog-20180527
    -rw-r--r--. 1 mail mail 0 May 27 03:33 processlog-20180603
    -rw-r--r--. 1 mail mail 0 Jun 3 03:44 processlog-20180610
    -rw-r--r--. 1 mail mail 0 Jun 10 03:08 processlog-20180617
    -rw-r--r--. 1 mail mail 4011 Jun 18 08:01 rejectlog
    -rw-r--r--. 1 mail mail 58908 May 27 03:24 rejectlog-20180527
    -rw-r--r--. 1 mail mail 45555 Jun 2 21:09 rejectlog-20180603
    -rw-r--r--. 1 mail mail 54723 Jun 10 03:06 rejectlog-20180610
    -rw-r--r--. 1 mail mail 97949 Jun 17 03:01 rejectlog-20180617

    The attacker was definitely hitting me about 100 times an hour+

    Any ideas?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •