CSF does not seem to block Dovecot login attemps

P

Papoega

New member
Joined
Oct 6, 2017
Messages
4
Hello everyone,

I am new to this forum but have used DA for the last year. Pretty cool platform wiht tons of options :o

I have installed CSF on my DA server and left most settings on default exect a few for the port configuration.

Within a few days lots of IP adresses are blocked automaticly on SSH but i think multiple login attemps om POP, SMTP or IMAP are not.

I have checked my system messages , please see below for an example:

IP 112.161.232.55 has 185 failed login attempts: sshd4=122 & sshd5=63
User pi has 138 failed login attempts: sshd4=138
User root has 2146 failed login attempts: pure-ftpd1=2 & sshd5=2144

I checked the ftd.log and there is no output found about this IP mentioned above. If i block this IP manually it will block it and does not tell me its already blocked.

I have found some SMTP failed logins that CSF will block :

(smtpauth) Failed SMTP AUTH login from 188.126.223.106 (NO/Norway/cm-188.126.223.106.getinternet.no): 5 in the last 3600 secs - *Blocked in csf* [LF_SMTPAUTH]

Do i have to configure something else to block other not logged attemps?? :confused:

Any help of suggestions would be greatly appreciated! ;)
 
zEitEr said:
Hello,

On directadmin servers we usually use this: https://forum.directadmin.com/showthread.php?t=44839 integration of CSF+Directadmin+BFM

As for CSF/LFD it should detect POP/IMAP attacks by default unless I miss anything.
Click to expand...

Thank you zEiter, i will take a loot at it tonight, meanwhile i have blocked SSH port as we always login to console for maintenance.
Also, would it be wise to block an entire country like RU / CN in CSF? Most of the attacks are from those countries but i have seen some comments that this will slow down the server?
 
It could depend on your hardware, configuration and number of attacks, best is probably to just test it out. I'm blocking "RU,CN,KR,TW,UA,IN,NI,TR" without any noticable performance difference. Don't forget to check if none of your customers has valid visits from the countries you block.

A lot of attacks are also coming from US addresses these days, but blocking US is something I can't do.
 
vlijmenlive said:
It could depend on your hardware, configuration and number of attacks, best is probably to just test it out. I'm blocking "RU,CN,KR,TW,UA,IN,NI,TR" without any noticable performance difference. Don't forget to check if none of your customers has valid visits from the countries you block.

A lot of attacks are also coming from US addresses these days, but blocking US is something I can't do.
Click to expand...

Thank you, i will just let it on for now and see what performance does. I doubt my clients have visitors from Russia or China :o
 
I checked the ftd.log and there is no output found about this IP mentioned above. If i block this IP manually it will block it and does not tell me its already blocked.
Click to expand...
You use pure-ftpd you say. In that case you need to change the FTPD_LOG variable value in /etc/csf/csf.conf to /var/log/messages to take effect, so don't use ftpd.log because that will only work with proftpd.
For SSH check that the SSH log is pointing to /var/log/secure.
 
Richard G said:
You use pure-ftpd you say. In that case you need to change the FTPD_LOG variable value in /etc/csf/csf.conf to /var/log/messages to take effect, so don't use ftpd.log because that will only work with proftpd.
For SSH check that the SSH log is pointing to /var/log/secure.
Click to expand...

Thank you Richard, i will have a look at it. As it seems now with CN and RU blocked entirely i get less attacks.
SSH on port 22 is disabled as well as i only use the console directly.

With these changes all seems beter now.
 
You must log in or register to reply here.
Back
Top