Richard G
Verified User
As for the exim issues, check for csf.deny or tempdeny if they are indeed blocked.
Defeating Brute Force Attacks by Custom Regex in CSF
- Thread starter soroosh-ab
- Start date
Hi guys, i've tried everything without success. Exim keeps getting spammed.
I did everything that got written in first post.
I also followed this guide:
https://www.directadmin.com/features.php?id=2617 (deleted the .sh. files).
When tailing the mainlog, I think it should add the IP adressess I see into /etc/csf/csf.deny but there are just 30 lines in it. When I greb an IP I just see in the log it's not there.
What am I doing wrong here?
2021-02-09 11:14:15 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=[email protected])
2021-02-09 11:14:18 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=xxx)
IP 91.243.45.40 is not found in csf.deny.
Getting spammed brings a lot of troubles with it. Mails are getting send twice, a lot of delay when regular mails are getting send, etc.
PS: Should RESTRICT_SYSLOG in /etc/csf/csf.conf be valued "0" ? That's its current value.
I did everything that got written in first post.
I also followed this guide:
https://www.directadmin.com/features.php?id=2617 (deleted the .sh. files).
When tailing the mainlog, I think it should add the IP adressess I see into /etc/csf/csf.deny but there are just 30 lines in it. When I greb an IP I just see in the log it's not there.
What am I doing wrong here?
2021-02-09 11:14:15 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=[email protected])
2021-02-09 11:14:18 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=xxx)
IP 91.243.45.40 is not found in csf.deny.
Getting spammed brings a lot of troubles with it. Mails are getting send twice, a lot of delay when regular mails are getting send, etc.
PS: Should RESTRICT_SYSLOG in /etc/csf/csf.conf be valued "0" ? That's its current value.
Last edited:
I've got things working now. I've checked the regex and there was no match with what I've had. I added this:
# User Attacks IP
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(\[(\S+)\]\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("CUSTOM2 FEB2021 Login authenticator failed From ",$2,"UserAttack","1","1");
}
# User Attacks IP
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(\[(\S+)\]\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("CUSTOM2 FEB2021 Login authenticator failed From ",$2,"UserAttack","1","1");
}
Richard G
Verified User
I've had this one in before, slightly different then yours. Did you have this too?
I've got this set to 2.
Code:
# User Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(User\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("User Attack From ",$2,"UserAttack","5","25,110,995,587,465","1");
}That depends on your system. However if it's set to 0, as described many things will not work.
I've got this set to 2.