How to prevent exim attack

mohammad.983

Verified User
Joined
Jun 26, 2015
Messages
35
Hi guys.
I used DA with CSF. but I got some brute force attacks. All of them related to exim. for example:
IP 62.210.157.140 has 100 failed login attempts: exim2=100
How can I config my DA or CSF to solve this problem?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
Normally if you use the DA setup from CSF this will be automatically setup correctly.
Check that the logs are set this way:
Code:
SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"
Also check if your block configuration is setup correctly, this is an example:
Code:
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "14400"

# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

# [*]Enable login failure detection of pop3 connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "7"
LF_POP3D_PERM = "14400"

# [*]Enable login failure detection of imap connections
# 
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "7"
LF_IMAPD_PERM = "14400"
 

NaSRi

Verified User
Joined
Aug 16, 2014
Messages
78
We have users that his IP address always is in deny list with the following error

Jun 8 09:07:19 lh014 lfd[6275]: (eximsyntax) Exim syntax errors from 1xxxxx (Ixxxxx of/xxx-xxx-165-213.xxxx): 10 in the last 3600 secs - *Blocked in csf* [LF_EXIMSYNTAX]

How can I know what caused the problem?
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Hello,

Grep lines with their IP from /var/log/exim/mainlog and see what might be wrong.
 

fcmed

Verified User
Joined
Nov 16, 2016
Messages
5
Tried:

SMTPAUTH_LOG = "/var/log/exim/rejectlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

and also tried:

SMTPAUTH_LOG = "/var/log/exim/mainlog"
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

but brute force attacks continue. CSF not blocking.

Get the following messages: (and similar with other users)

User jon has 148 failed login attempts: exim2=148

I can see the failed login attempts for user 'jon' inside both:

/var/log/exim/rejectlog
/var/log/exim/mainlog

yet the IP address of those login attempts is not blocked.

Csf is running. Perhaps there is a setting that I am missing inside csf.conf ?
 
Top