Is it a bug? This is shown 5598 instead of a real IP in BRUTE_FORCE_MONITOR.

[zEitEr]

Hello,

Today I've found an interesting and strange thing. On a page of BRUTE_FORCE_MONITOR I see a lot of random numbers in column of IP:

IP	Login Failures	First	Last	Notified	IP Info	Select
218.212.149.121	200	Sep 21 01:43	Sep 21 02:21	Yes	IP Info	
195.62.0.202	45	Sep 20 18:22	Sep 21 13:34	No	IP Info	
5598		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
5599		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
5600		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
5601		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
5602		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
5603		20	Sep 21 06:11	Sep 21 06:12	No	IP Info	
127.0.0.1	14	Sep 19 12:11	Sep 20 16:17	No	IP Info	
195.82.157.69	11	Sep 19 11:36	Sep 21 12:27	No	IP Info	
195.82.145.54	4	Sep 20 14:28	Sep 20 14:28	No	IP Info	
46.50.128.12	4	Sep 20 22:33	Sep 20 22:33	No	IP Info	
1072		1	Sep 21 03:36	Sep 21 03:36	No	IP Info

If I click on any non-IP record in IP column I see following records from logs:

13165602610001	5598	anonymous	1	exim1	2011-09-21 06:10:52 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610007	5598	anonymous	1	exim1	2011-09-21 06:10:53 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610013	5598	anonymous	1	exim1	2011-09-21 06:10:54 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610019	5598	anonymous	1	exim1	2011-09-21 06:10:55 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610026	5598	anonymous	1	exim1	2011-09-21 06:10:56 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610032	5598	anonymous	1	exim1	2011-09-21 06:10:57 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610038	5598	anonymous	1	exim1	2011-09-21 06:10:58 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610044	5598	anonymous	1	exim1	2011-09-21 06:10:59 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610050	5598	anonymous	1	exim1	2011-09-21 06:11:00 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165602610056	5598	anonymous	1	exim1	2011-09-21 06:11:01 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210001	5598	anonymous	1	exim1	2011-09-21 06:11:02 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210008	5598	anonymous	1	exim1	2011-09-21 06:11:03 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210014	5598	anonymous	1	exim1	2011-09-21 06:11:04 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210020	5598	anonymous	1	exim1	2011-09-21 06:11:04 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210025	5598	anonymous	1	exim1	2011-09-21 06:11:05 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210031	5598	anonymous	1	exim1	2011-09-21 06:11:06 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210037	5598	anonymous	1	exim1	2011-09-21 06:11:07 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210043	5598	anonymous	1	exim1	2011-09-21 06:11:08 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210049	5598	anonymous	1	exim1	2011-09-21 06:11:09 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)
13165603210054	5598	anonymous	1	exim1	2011-09-21 06:11:10 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.ddd]:25: 535 Incorrect authentication data (set_id=anonymous)

In /var/log/exim/mainlog I see

2011-09-21 06:11:09 [5601] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3118 I=[195.bbb.ccc.21]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5599] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3104 I=[195.bbb.ccc.19]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5602] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3115 I=[195.bbb.ccc.23]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5598] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3110 I=[195.bbb.ccc.18]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5603] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3117 I=[195.bbb.ccc.22]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5600] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3113 I=[195.bbb.ccc.20]:25: 535 Incorrect authentication data (set_id=anonymous)
2011-09-21 06:11:10 [5601] login authenticator failed for (x6x8-20101028KO) [58.250.108.160]:3118 I=[195.bbb.ccc.21]:25: 535 Incorrect authentication data (set_id=anonymous)

Thus I guess, exim log is not parsed right, because it seems that random numbers if the first listing from BRUTE_FORCE_MONITOR are about exim brute forcing.

Affected server has

# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
log_selector = \
  +all
#  +delivery_size \
#  +sender_on_delivery \
#  +received_recipients \
#  +received_sender \
#  +smtp_confirmation \
#  +subject \
#  +smtp_incomplete_transaction \
#  -dnslist_defer \
#  -host_lookup_failed \
#  -queue_run \
#  -rejected_header \
#  -retry_defer \
#  -skip_delivery \
#  +arguments
syslog_duplication = false

in /etc/exim.conf.

so I think it's somehow related. As the other servers are OK while they have

# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
log_selector = \
#  +all
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments
syslog_duplication = false

in /etc/exim.conf.


Please take this case into consideration and update directadmin parser.

 

[nobaloney]

Wouldn't a better solution be to find out what you're logging that the default isn't logging?

SpamBlockerTechnology* powered exim.conf, Version 4.1 uses:

log_selector = \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery \
  +arguments
syslog_duplication = false

The earlier version installed by default with DirectAdmin uses:

log_selector = \
  +delivery_size \
  +sender_on_delivery \
  +received_recipients \
  +received_sender \
  +smtp_confirmation \
  +subject \
  +smtp_incomplete_transaction \
  -dnslist_defer \
  -host_lookup_failed \
  -queue_run \
  -rejected_header \
  -retry_defer \
  -skip_delivery
syslog_duplication = false

Jeff

 

[zEitEr]

As a bypass on temporary or permanent bases I've just started to use:

log_selector = \
   +all \
   -pid

Section "15. Reducing or increasing what is logged" on page http://www.exim.org/exim-html-current/doc/html/spec_html/ch49.html

pid Exim process id