Defeating Brute Force Attacks by Custom Regex in CSF

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
Just noticed a few IP's still manage to hammer the login on Wordpress sites.
Will need to search the logs how/what they use.
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
Still getting a lot failed mail logins on my server where they try to guess common usernames on the domains on my server.
They all fail for this certain domain because it has no mailaccounts.
Is there any regex to block this PoS on the first try?

Code:
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=guest@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=guest@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")

I also get a lot of this, which doesn't seem to be stopped by the custom regex (anymore?);
"#####.com" are domains on my server.


Code:
2017-01-31 11:53:53 H=(mata.com) [185.29.9.133] F=<info@apple.com> rejected RCPT <otha@######.com>: 
2017-01-31 11:54:30 H=(mata.com) [185.29.8.198] F=<info@apple.com> rejected RCPT <abram@######.com>: 
2017-01-31 11:56:10 H=(mata.com) [185.29.9.135] F=<info@apple.com> rejected RCPT <giuseppe@######.com>: 
2017-01-31 12:22:58 H=(mata.com) [185.29.9.133] F=<info@apple.com> rejected RCPT <otha@####.com>: 
2017-01-31 12:23:21 H=(mata.com) [185.29.8.198] F=<info@apple.com> rejected RCPT <abram@####.com>: 
2017-01-31 12:24:11 H=(mata.com) [185.29.8.196] F=<info@apple.com> rejected RCPT <enoch@####.com>: 
2017-01-31 12:24:55 H=(mata.com) [185.29.9.135] F=<info@apple.com> rejected RCPT <giuseppe@####.com>: 
2017-01-31 12:30:58 H=(mata.com) [46.183.217.162] F=<info@apple.com> rejected RCPT <raymon@####.com>: 
2017-01-31 12:30:58 H=(mata.com) [46.183.217.165] F=<info@apple.com> rejected RCPT <ezequiel@####.com>: 
2017-01-31 12:33:07 H=(mata.com) [46.183.220.137] F=<info@apple.com> rejected RCPT <shayne@####.com>: 
2017-01-31 12:34:03 H=(mata.com) [46.183.217.169] F=<info@apple.com> rejected RCPT <buster@####.com>: 
2017-01-31 12:38:49 H=(mata.com) [46.183.223.239] F=<info@apple.com> rejected RCPT <florentino@####.com>: 
2017-01-31 12:40:44 H=(mata.com) [46.183.220.139] F=<info@apple.com> rejected RCPT <omer@####.com>: 
2017-01-31 12:41:46 H=(mata.com) [46.183.217.174] F=<info@apple.com> rejected RCPT <barrett@####.com>: 
2017-01-31 12:45:09 H=(mata.com) [46.183.220.138] F=<info@apple.com> rejected RCPT <columbus@####.com>:
Code:
2017-01-31 13:02:53 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:54 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:55 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:55 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:56 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:57 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:57 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:58 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:59 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
Code:
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
OLD TOPIC, but would like to pick the brains a bit more here.

My VPS logs report various login-attempts at Exim and Wordpress-sites.

Just about all them manage to get 15-17 login attempts at a time per IP until they get Temp-blocked.
In CSF I've entered 3 login attempts as the max for various services before a temp block happens... but still most IP's manage to get 15-17 login-attempts in.

Of course I want to fix this properly as regular users are indeed blocked at 3 wrongful attempts to login.

I think this might be a time-span issue, as the hack IPs probably spread out their logins over time, thereby flying under the Brute Force-radar?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,217
Location
Maastricht
It might be a timing issue indeed. Probably it either checks less often or declares it as a dist attack and then the LF_DIST_INTERVAL setting might be too high.
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL =
But I'm not sure if the custom regexp uses the same or is using something else to time or check logfiles.

Interesting question though.
 

zmippie

Verified User
Joined
Apr 19, 2015
Messages
142
I think this might be a time-span issue, as the hack IPs probably spread out their logins over time, thereby flying under the Brute Force-radar?
These long-spaced attempts are indeed tricky. But as I understand it, this is where DA's Brute Force Monitor comes in. Contrary to CSF, it scans log files less frequent, but for much longer periods. You can make CSF and BFM work in tandem through Alex's solution:

https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
I've got BFM already blocking IP's but I'm not sure how effective this (still) is.
I seem to recall at the time I installed this (some years ago), it didn't work smoothly and I focussed more on CSF on doing the job.
The scripts are undoubtly outdated by now.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
362
Location
Murfreesboro
I've got BFM already blocking IP's but I'm not sure how effective this (still) is.
I seem to recall at the time I installed this (some years ago), it didn't work smoothly and I focussed more on CSF on doing the job.
The scripts are undoubtedly outdated by now.
Hey BBM
Thats the very guide I used and it has a autoinstaller now as well. Alex's Guide links CSF with BFM. You can see it is still spoken of in both Alex's Site and Help. Maybe you should revisit the both and make sure you have it all set like you want per the guides.

https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

https://help.directadmin.com/item.php?id=527
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
I used the auto-installer from Alex's site and re-installed the files over my old ones. That alone seemed to help a lot.
Will keep an eye on it for awhile.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
362
Location
Murfreesboro
I used the auto-installer from Alex's site and re-installed the files over my old ones. That alone seemed to help a lot.
Will keep an eye on it for awhile.
Ok let us know. You can use his guide to look at it all manually as well.
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
Well, looked promising, but it didn't help the script turned off the notifications all together... Missed that part.
Turned on the notifications again after 2 days and everything unfortunatly "returned to normal"; wordpress and exim getting hammered with 10-16 attempts per IP.

And for some reason, an occassional IP manages to really hammer Exim;
Code:
A brute force attack has been detected in one of your service logs.

IP 94.177.252.4 has 188 failed login attempts: exim2=188
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,217
Location
Maastricht
Just noticed a lot IP's are blocked twice in the block list at DA's Brute force page;
Did you have a look at the DA block settings? It could be blocks are temp 2 hour or 4 hour blocks, which could indeed cause them to be blocked multiple times.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Actually a list of blocked IPs that DA manages can be found in /root/blocked_ips.txt and IPs are added into the file only by DirectAdmin. Neither CSF nor the custom script written by me add any IP into the file. And DirectAdmin reads the file and list blocked IPs in Web-UI of the BFM page.

So if it contains duplicates you will need to fix it manually.

Maybe @Zeiter can help.

Alex help us out here buddy.
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
325
Location
Dutch Mountains
The /root/blocked_ip list matches the list shown in DA (Which has a sorting bug when trying to sort by ip-number btw).
It appears DA doesn't seem to check if the ip is already blocked, *I think*.

Another thing I noticed (again) ;
Just about all BF ip's shown in the "message system" have about 10-25 login attempts shown. But then suddenly there's 1 IP that manages to slip in 204 login attempts...!
Code:
IP 37.49.227.49 has 204 failed login attempts: exim2=204
IP 78.157.210.66 has 12 failed login attempts: wordpress1=12
User hostmaster has 51 failed login attempts: exim2=51
How's this at all possible??
(there is no user hostmaster on the server btw).
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,818
Location
GMT +7.00
Directadmin purely relies on /root/blocked_ips.txt, it does not communicate with iptables for this. If you think there is a bug in DirectAdmin you should open a ticket with DA support and provide them with an access to your server.

Directadmin checks login failures once a minute with a cron. In theory it is possible to do 204 connections within 1 minute or two. For more information you need to check logs.
 
Top