Continues Brute-Force Attacks

Hi,

Even though i have the whole /24 blocked via csf, attacks like this keeps happening:

--
A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 103.253.42.39, 103.253.42.44, 45.125.65.34 on User(s) demo, scan, scanner

has arrived for you to view.
Follow this link to view it:
--

I wonder if i have the whole /24 blocked how can they still try to login? most of the the attacks are on exim and i have the latest version of DA installed.

Do you use config csf/lfd firewall?

Anyway, even though you have a /24 block you should also make sure all ports are blocked.

Yes, i do use csf/lfd.

They are banned, but attacks still continue.

Do have an server-status page active.
If the blocked ip addresses are showing up there I suppose there is something wrong.

Check if cfg/lfd is in test mode.

After blocking, in my experience, same late messages are sent by cfg/lfd. Thats because log files are parsed every x minutes.


Edit: Do you have custom build? Check for updates. There was a vulnerability in Exim. https://forum.directadmin.com/showthread.php?t=58831

I don't know what you mean by server status but csf/lfd is not in test mode.

I have custom build and it does not shows any update, i have latest version of DA.

Here is a thread about how to enable server-status and server-info.
https://forum.directadmin.com/showthread.php?t=58788&highlight=status

I hope some one else can help you. I'm out of ideas.