Continues Brute-Force Attacks

uvhost

Verified User
Joined
Mar 26, 2006
Messages
40
Location
UK
Hi,

Even though i have the whole /24 blocked via csf, attacks like this keeps happening:

--
A new message or response with subject:

Brute-Force Attack detected in service log from IP(s) 103.253.42.39, 103.253.42.44, 45.125.65.34 on User(s) demo, scan, scanner

has arrived for you to view.
Follow this link to view it:
--

I wonder if i have the whole /24 blocked how can they still try to login? most of the the attacks are on exim and i have the latest version of DA installed.
 

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
170
Do you use config csf/lfd firewall?

Anyway, even though you have a /24 block you should also make sure all ports are blocked.
 

uvhost

Verified User
Joined
Mar 26, 2006
Messages
40
Location
UK
Yes, i do use csf/lfd.

They are banned, but attacks still continue.
 

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
170
Do have an server-status page active.
If the blocked ip addresses are showing up there I suppose there is something wrong.

Check if cfg/lfd is in test mode.

After blocking, in my experience, same late messages are sent by cfg/lfd. Thats because log files are parsed every x minutes.


Edit: Do you have custom build? Check for updates. There was a vulnerability in Exim. https://forum.directadmin.com/showthread.php?t=58831
 
Last edited:

uvhost

Verified User
Joined
Mar 26, 2006
Messages
40
Location
UK
I don't know what you mean by server status but csf/lfd is not in test mode.

I have custom build and it does not shows any update, i have latest version of DA.
 
Top