Continual Brute-Force Attack exim2

Roberto

Roberto

Verified User
Joined
Apr 6, 2013
Messages
126
Location
London
Hello

I am getting lots of these messages, nearly all the time:-

Code: 
Subject: Brute-Force Attack detected in service log from IP(s) 185.130.5.240
A brute force attack has been detected in one of your service logs.

IP 185.130.5.240 has 482 failed login attempts: exim2=482

Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404

I can't understand why Directadmin is letting an IP attempt so many logins to the mail server. I would appreciate any advice how to limit login attempts and automatically ban the IPs? I already have CFS installed, but can't find any documentation that points to how to go about sorting this issue out.

As per the link above, I looked at "Admin Level -> Admin Settings -> Blacklist IPs for excessive login attempts" settings. Its set to "after 4 login attempts"

But this setting described in the link seems to pertain to the DA login, not mail login attempts.

Regards
themadguru
 
Last edited:
Webfoundry

Thanks for your response, appreciated.

As per my original post, I had already installed CSF (back in 2013). I've logged into Directadmin and am looking at the "Firewall Configuration" settings. The following is what is says about "Connection Tracking":-

Connection Tracking. This option enables tracking of all connections from IP
addresses to the server. If the total number of connections is greater than
this value then the offending IP address is blocked. This can be used to help
prevent some types of DOS attack.

Care should be taken with this option. It's entirely possible that you will
see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
and HTTP so it could be quite easy to trigger, especially with a lot of
closed connections in TIME_WAIT. However, for a server that is prone to DOS
attacks this may be very useful. A reasonable setting for this option might
be around 300.
Click to expand...

I have change the CT_LIMIT value from 0 to 300 for the above.

Connection Tracking appears to relate to the number of concurrent connections from one IP to the server, rather than limiting the number of login attempts. I've seen a section "Login Tracking" which is maybe what you mean? I can see here that I can...

Block POP3 logins if greater than LT_POP3D times per hour per account per IP address (0=disabled)
Click to expand...

The setting was previously set to 0, i.e. disabled, so I'll adjust that and other settings in that section and see how it goes.

If you have any other suggested changes to CSF, or a link to a page that gives tips on hardening DA by changing other settings within CSF, I'd appreciate that?

Regards
 
Last edited:
Hello Cyberdevil

Thanks for the input. I've not looked into using APF or BFD until now, since the server has run quite well up to now. After doing a quick search I found these links here (for the benefit of others):-

APF: https://www.rfxn.com/projects/advanced-policy-firewall/
BFD: https://www.rfxn.com/projects/brute-force-detection/
Click to expand...

Are these two something that sit well alongside CSF which is already installed? or is APF a competing firewall which should not be installed together? Can I have a little explanation about the benefits if I have to replace CSF? or how these compliment CSF?

I found this How to guide:

http://forum.directadmin.com/showthread.php?t=14500

However, this was written in 2004, and I suspect maybe out of date with regards to configuring the settings mentioned. Are there any more recent how-to guides for APF & BFD?

Regards
 
Last edited:
APF is a more lightweight firewall based on iptables like CSF but with less features build in.
BFD is an extension which can be used on top of APF or even without, but will take care of all brute force attacks.

So I wouldn't run both on the same server. Don't know if CSF does brute force detection. Maybe you can use CSF in combination with BFD for the brute force detection. You will only need to configure BFD so it will use CSF for the blocking of users. Which is done by: csf -d $IP
 
I'm searching for the nice tutoral with some general settings you can use in CSF, I used it when I installed CSF on my system.
DuckDuckGo is my friend, so when I find it I will post it here, as I'm also not a firewall wizkid.

I found them :

http://forum.directadmin.com/showthread.php?t=27315
https://kb.pickaweb.co.uk/security/secure-server-using-csf-configserver-security-and-firewall/

I can't find any info on your direct question though, but Login Tracking might indeed do the trick. But I think we are looking for a blocking methode after x failed logins for whatever service you choose (exim, ssh, dovecot, ...) wich would be awesome indeed.

Perhaps I can add that CC_DENY helped me a lot of keeping brute forces down. I see your attack comes from Lithuania. I added some countries to the list I know that are safe to block without my clients having problems by the blockage (e.g. I blocked China and some other asian countries where a lot of attacks came from). I tend to examin the origin of susicious IP myself.
 
Last edited:
Webfoundry said:
Perhaps I can add that CC_DENY helped me a lot of keeping brute forces down. I see your attack comes from Lithuania. I added some countries to the list I know that are safe to block without my clients having problems by the blockage (e.g. I blocked China and some other asian countries where a lot of attacks came from). I tend to examin the origin of susicious IP myself.
Click to expand...

@Webfoundry

Thanks for the two links and explanation. I would have replied earlier, but didn;t get an email informing me. Never mind.

Anway, of the two links I'm going through the first. I've been running CSF for a long time now, so the 2nd link is useful for people first installing.

As for country blocking... obviously I don't want genuine people visiting the client websites to be blocked, so does your method of adding countries to CC_DENY only block login attempts, or does it block all access to the server including genuine people just visiting the websites?
 
You must log in or register to reply here.
Back
Top