Brute-force attack Exim, CSF works, but failed nonetheless

Z

zmippie

Verified User
Joined
Apr 19, 2015
Messages
164
I have a weird situation here: last night I got a number of BFM notifications about failed login attempts. The message says:

A brute force attack has been detected in one of your service logs.

IP 1x5.222.209.14 has 104 failed login attempts: exim2=104
Click to expand...

So okay, but those are failed attempts on Exim, so I checked the CSF config, and the SMTPAUTH_LOG is set to /var/log/exim/mainlog, which is correct. Strangely enough, I see the failed login attempts in the logs, and indeed, they add up to what BFM is telling me (104!).

But here's the strange part: other, similar attempts were blocked successfully after 5 attempts. What's different about this one? It's not that this IP has been whitelisted, because after manually adding the IP to CSF, I didn't see the message about a duplicate.

Could it be that CSF didn't pick this one up because the log entries differ from normal?

This one failed to be picked up by CSF:
2018-01-28 09:44:37 login authenticator failed for (User) [1x5.222.209.14]: 535 Incorrect authentication data ([email protected])
Click to expand...

This one was picked up immediately (5 attempts):
2018-01-28 11:39:45 plain authenticator failed for (anotherdomain.com) [1x1.199.86.123]: 535 Incorrect authentication data ([email protected])
Click to expand...

I do see that the last one were 5 successive attempts, thus made in a very short timeframe, while the 1x5.222.209.14 attempts were spaced much further apart in the log. Can it be so that CSF only picks up failed attempts when they're successive? That's hard to imagine. The other thing I notice is that it says "login authenticator failed" and not "plain authenticator failed". I see more "login authenticator failed" in the logs, and they do get blocked, but usually these are also spaced closely and alternate between "login authenticator failed" and "plain authenticator failed".

Should I really tune the CSF/LFD blocking rules manually? I was always under the assumption that they were solid out of the box.

Any advice welcome.
 
Last edited:
My own investigating led me to the CSF config "LF_INTERVAL". Which is set to 3600, which is 60 minutes. I'll have to check at what interval the attacks were done to see if this could be the culprit.
 
Did some analysis on the logs, and yeah, this is an attacker that stays under the radar by spreading out the login attempts over a lot of time...

Code: 
2017-12-23 : [B]2295[/B] secs
2017-12-24 : [B]63248[/B] secs
2017-12-24 : [B]410[/B] secs
2017-12-24 : [B]3936[/B] secs
2017-12-24 : [B]441[/B] secs
2017-12-24 : [B]4107[/B] secs
2017-12-24 : [B]444[/B] secs
2017-12-24 : [B]11871[/B] secs
2017-12-24 : [B]831[/B] secs
2017-12-24 : [B]7678[/B] secs
2017-12-24 : [B]847[/B] secs
2017-12-24 : [B]7747[/B] secs
2017-12-24 : [B]859[/B] secs
2017-12-25 : [B]39081[/B] secs
2017-12-25 : [B]862[/B] secs
2017-12-25 : [B]8025[/B] secs
2017-12-25 : [B]889[/B] secs
2017-12-25 : [B]7963[/B] secs
2017-12-25 : [B]875[/B] secs
2017-12-25 : [B]14386[/B] secs
2017-12-25 : [B]864[/B] secs
2017-12-25 : [B]7907[/B] secs
2017-12-25 : [B]869[/B] secs
2017-12-26 : [B]7922[/B] secs
2017-12-26 : [B]872[/B] secs
2017-12-26 : [B]34895[/B] secs
2017-12-26 : [B]855[/B] secs
2017-12-26 : [B]7895[/B] secs
2017-12-26 : [B]895[/B] secs
2017-12-26 : [B]7971[/B] secs
2017-12-26 : [B]877[/B] secs
2017-12-26 : [B]7988[/B] secs
2017-12-26 : [B]874[/B] secs
2017-12-26 : [B]7968[/B] secs
2017-12-26 : [B]869[/B] secs
2017-12-26 : [B]7909[/B] secs
2017-12-26 : [B]867[/B] secs
2017-12-27 : [B]42090[/B] secs
2017-12-27 : [B]854[/B] secs
2017-12-27 : [B]7985[/B] secs
2017-12-27 : [B]901[/B] secs
2017-12-27 : [B]8027[/B] secs
2017-12-27 : [B]879[/B] secs
2018-01-16 : [B]1727437[/B] secs
2018-01-16 : [B]941[/B] secs
2018-01-16 : [B]8866[/B] secs
2018-01-16 : [B]996[/B] secs
2018-01-16 : [B]9064[/B] secs
2018-01-16 : [B]997[/B] secs
2018-01-17 : [B]60478[/B] secs
2018-01-17 : [B]2514[/B] secs
2018-01-17 : [B]9373[/B] secs
2018-01-17 : [B]1001[/B] secs
2018-01-17 : [B]9155[/B] secs
2018-01-17 : [B]1006[/B] secs
2018-01-19 : [B]145275[/B] secs
2018-01-19 : [B]1001[/B] secs
2018-01-19 : [B]9064[/B] secs
2018-01-19 : [B]1002[/B] secs
2018-01-19 : [B]9143[/B] secs
2018-01-19 : [B]1000[/B] secs
2018-01-20 : [B]73518[/B] secs
2018-01-20 : [B]988[/B] secs
2018-01-20 : [B]9153[/B] secs
2018-01-20 : [B]1010[/B] secs
2018-01-20 : [B]9173[/B] secs
2018-01-20 : [B]1006[/B] secs
2018-01-22 : [B]147627[/B] secs
2018-01-22 : [B]979[/B] secs
2018-01-22 : [B]9151[/B] secs
2018-01-22 : [B]1020[/B] secs
2018-01-22 : [B]9352[/B] secs
2018-01-22 : [B]1010[/B] secs
2018-01-22 : [B]10339[/B] secs
2018-01-22 : [B]1039[/B] secs
2018-01-23 : [B]9222[/B] secs
2018-01-23 : [B]1012[/B] secs
2018-01-23 : [B]9235[/B] secs
2018-01-23 : [B]1007[/B] secs
2018-01-23 : [B]56835[/B] secs
2018-01-23 : [B]1023[/B] secs
2018-01-23 : [B]9438[/B] secs
2018-01-24 : [B]1019[/B] secs
2018-01-24 : [B]9208[/B] secs
2018-01-24 : [B]1016[/B] secs
2018-01-24 : [B]9198[/B] secs
2018-01-24 : [B]1015[/B] secs
2018-01-24 : [B]9242[/B] secs
2018-01-24 : [B]1017[/B] secs
2018-01-24 : [B]9668[/B] secs
2018-01-24 : [B]1057[/B] secs
2018-01-24 : [B]9311[/B] secs
2018-01-24 : [B]1010[/B] secs
2018-01-24 : [B]9220[/B] secs
2018-01-24 : [B]1017[/B] secs
2018-01-24 : [B]9238[/B] secs
2018-01-24 : [B]1018[/B] secs
2018-01-24 : [B]9229[/B] secs
2018-01-24 : [B]1033[/B] secs
2018-01-25 : [B]9377[/B] secs
2018-01-25 : [B]1057[/B] secs
2018-01-25 : [B]9568[/B] secs
2018-01-25 : [B]1046[/B] secs
2018-01-25 : [B]9593[/B] secs
2018-01-25 : [B]1070[/B] secs
2018-01-25 : [B]9660[/B] secs
2018-01-25 : [B]1100[/B] secs
2018-01-25 : [B]9371[/B] secs
2018-01-25 : [B]1025[/B] secs
2018-01-25 : [B]9241[/B] secs
2018-01-25 : [B]1021[/B] secs
2018-01-25 : [B]9308[/B] secs
2018-01-25 : [B]1013[/B] secs
2018-01-25 : [B]9238[/B] secs
2018-01-25 : [B]1016[/B] secs
2018-01-26 : [B]9217[/B] secs
2018-01-26 : [B]1020[/B] secs
2018-01-26 : [B]9244[/B] secs
2018-01-26 : [B]1020[/B] secs
2018-01-26 : [B]9230[/B] secs
2018-01-26 : [B]1015[/B] secs
2018-01-26 : [B]9218[/B] secs
2018-01-26 : [B]1018[/B] secs
2018-01-26 : [B]9227[/B] secs
2018-01-26 : [B]1013[/B] secs
2018-01-26 : [B]9215[/B] secs
2018-01-26 : [B]1010[/B] secs
2018-01-26 : [B]9212[/B] secs
2018-01-26 : [B]1017[/B] secs
2018-01-26 : [B]9194[/B] secs
2018-01-26 : [B]1014[/B] secs
2018-01-26 : [B]9188[/B] secs
2018-01-26 : [B]1010[/B] secs
2018-01-27 : [B]9190[/B] secs
2018-01-27 : [B]1012[/B] secs
2018-01-27 : [B]9201[/B] secs
2018-01-27 : [B]1012[/B] secs
2018-01-27 : [B]9205[/B] secs
2018-01-27 : [B]1013[/B] secs
2018-01-27 : [B]9226[/B] secs
2018-01-27 : [B]1014[/B] secs
2018-01-27 : [B]9246[/B] secs
2018-01-27 : [B]1011[/B] secs
2018-01-27 : [B]9200[/B] secs
2018-01-27 : [B]1016[/B] secs
2018-01-27 : [B]9220[/B] secs
2018-01-27 : [B]1014[/B] secs
2018-01-27 : [B]9199[/B] secs
2018-01-27 : [B]1011[/B] secs
2018-01-28 : [B]9188[/B] secs
2018-01-28 : [B]1015[/B] secs
2018-01-28 : [B]9220[/B] secs
2018-01-28 : [B]1021[/B] secs
2018-01-28 : [B]9213[/B] secs
2018-01-28 : [B]1017[/B] secs
2018-01-28 : [B]9233[/B] secs
2018-01-28 : [B]1030[/B] secs
2018-01-28 : [B]9253[/B] secs
2018-01-28 : [B]1019[/B] secs
2018-01-28 : [B]9279[/B] secs
2018-01-28 : [B]1016[/B] secs
2018-01-28 : [B]9220[/B] secs
2018-01-28 : [B]1019[/B] secs
2018-01-28 : [B]9228[/B] secs
2018-01-28 : [B]1014[/B] secs
2018-01-28 : [B]9225[/B] secs
2018-01-29 : [B]1021[/B] secs
2018-01-29 : [B]9258[/B] secs
2018-01-29 : [B]1026[/B] secs
2018-01-29 : [B]9254[/B] secs
2018-01-29 : [B]1020[/B] secs
2018-01-29 : [B]20235[/B] secs

Could work in the long run, because will be very hard to pick up, but will likely take years before anything might turn up. Especially since the script is trying all sorts of usernames that don't exist. Increasing the "LF_INTERVAL" might work against such slow attacks, but it would need to be quite high (which I assume will come at a higher processing cost).

A good thing that BFM picked this one up. And it explains why LFD didn't.
 
You must log in or register to reply here.
Back
Top