CSF/LFD question regarding Brute-Force Attacks

J

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
So... I have CSF/LFD setup to block brute force attacks. If a user fails a login like 15 times or something like that, I have it set to send the IP address to the CSF Blacklist. Everything works with it fine. I get an email sent to me saying that IP address has been added to the blacklist because of X failed attempts.

In each email address it will have 5 or 6 different usernames that have been attempted but that the IP has been blocked.

Now... The nice thing is that all of these attempts seem to be on usernames that don't exist. They've maybe tried some of the email address, or a full email address, but not the correct system username.

My questions are this:

1. Do I need to worry about these attempts with successful blacklists? I'm getting probably 100+ emails per day of these attempts, and each email has multiple attempts.

2. Can I setup CSF to only send me the updates if the username that they are trying to brute-force attack actually exists in the system? So, for example, if they try to bruteforce username <johnsmith> but that is not a username in my system (maybe jsmith197 is). Can I have CSF ignore any attempts to <johnsmith> because that isn't actually in the system?

3. If I install modsecurity, will that stop some of these attacks? Is there anything else I can do?

FYI: I do have DA setup to also blacklist any failed attempts into the DA system. And this works as well.
 
1.) Probably not. Attacks are common these days and they come and go. Sometimes we have attacks for several weeks from hundres of ip's and then it's a bit more quiet for some time. Just take care that you don't have too many iptable blocks, because this could take system resources. Next to that it doesn't make a lot of sense to keep hundreds of ip's blocked forever.

2.) Can't help you with that, I use another method with brute-force and don't see names, it just blockes automatically for a certain period of time, no questions asked.
It might be done with a regexp, but I doubt it.

3.) Modsecurity is more for attacks against websites if I'm not mistaken. It makes things safer anyway if you know how to set it up, not too strict otherwise problems will occur. And no I don't know how to set it up in a good way.

CSF and Mod security or any other thing can't stop attacks, they will just evade them or block them. Attack attempts will always be present.
 
You must log in or register to reply here.
Back
Top