How to prevent exim attack

[mohammad.983]

Hi guys.
I used DA with CSF. but I got some brute force attacks. All of them related to exim. for example:

IP 62.210.157.140 has 100 failed login attempts: exim2=100

How can I config my DA or CSF to solve this problem?

 

[Richard G]

Normally if you use the DA setup from CSF this will be automatically setup correctly.
Check that the logs are set this way:

SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

Also check if your block configuration is setup correctly, this is an example:

# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "14400"

# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

# [*]Enable login failure detection of pop3 connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "7"
LF_POP3D_PERM = "14400"

# [*]Enable login failure detection of imap connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "7"
LF_IMAPD_PERM = "14400"

 

[NaSRi]

We have users that his IP address always is in deny list with the following error

Jun 8 09:07:19 lh014 lfd[6275]: (eximsyntax) Exim syntax errors from 1xxxxx (Ixxxxx of/xxx-xxx-165-213.xxxx): 10 in the last 3600 secs - *Blocked in csf* [LF_EXIMSYNTAX]

How can I know what caused the problem?

 

[zEitEr]

Hello,

Grep lines with their IP from /var/log/exim/mainlog and see what might be wrong.

 

[fcmed]

Tried:

SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

and also tried:

SMTPAUTH_LOG = "/var/log/exim/mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

but brute force attacks continue. CSF not blocking.

Get the following messages: (and similar with other users)

User jon has 148 failed login attempts: exim2=148

I can see the failed login attempts for user 'jon' inside both:

/var/log/exim/rejectlog
/var/log/exim/mainlog

yet the IP address of those login attempts is not blocked.

Csf is running. Perhaps there is a setting that I am missing inside csf.conf ?

 

[zEitEr]

Tried this https://forum.directadmin.com/showthread.php?t=44839 ?