LFD and Exim

enginaar · Sep 22, 2011

Hello,

I'm running csf+lfd and tracking for authentication failures but, exim looks like it's not keeping all authentication failures in /var/log/maillog. I see a lot of login failures in exim's mainlog file but none of them recorded to maillog. That makes lfd to fail to recognize login failures.

1. Why exim doesn't write login failure logs into maillog?
2. Should I change lfd to track exim mainlog?

SeLLeRoNe · Sep 23, 2011

Use the new BFM (Brute Force Monitor) with CSF and you will be fine...

Information can be found on the forum.

Regards

Richard G · Sep 23, 2011

@Sellerone:
As far as I know, the BFM is already existing some time in CSF.
However, if it's looking at the wrong logfiles, no actions will be taken.
The only thing I know which is new in CSF is an exploit scanner. Or am I missing something?

@Enginaar:
You could try to enable a customlog in csf.conf:
CUSTOM1_LOG = "/var/log/messages"
Instead of this one, put here the path to your exim mainlog and see if it has the result you would like.

enginaar · Sep 23, 2011

Thanks Richard,

In fact that logs in exim's mainlog file belongs to smtp auth failure and lfd doesn't have a tracker for that so I made it myself to keep track for smtp login failures.

It looks like below and it works if someone wants to use.

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s\S+ login authenticator failed for $\S+$ \[(\d+\.\d+\.\d+\.\d+)\]: 535 Incorrect authentication data $set_id=(\S+)$/)) {
return ("SMTP Login Failure for $2",$1,"smtplogin","5","25,587","1");
}

Thanks

Richard G · Sep 24, 2011

Great, I would like to use that I think.

Can you explain how to call this and where to place this?

LFD and Exim

enginaar

Verified User

SeLLeRoNe

Super Moderator

Richard G

Verified User

enginaar

Verified User

Richard G

Verified User