lightningbit
Verified User
- Joined
- Nov 7, 2008
- Messages
- 35
Hi,
just looking for some advice or experiences
I'm hit (or my server is) with a sudden increase of brute force attacs to exim
it comes from a various range of IP addresses (germany, vietnam, china, russia, france, ... besically, Europe and Asia...)
they all target info, admin, support AT thesamedomain.be
(so it seems they attacker only targets 1 domain for now)
(those users do not exist for that domain)
in BFM I can see
for each ipaddress I find 2 lines :
then the same with another IP
about 1 attempt every minute, sometimes 2 or 3
I noticed this on friday
I'm also using CSF on this server, for the brute force settings I've set
Notify Admins after an IP has 3 login failures on any account.
Notify Admins after a User has 3 login failures from any IP.
and I am using the the block script
(so that after 3 attempts from the same IP, it gets blocked in CSF)
I'm inclined to even put that to 1 for a while, so the ip gets blocked immediately after 1 attempt
is there anything else I can do to kill or cut off that attack?
e.g block it in CSF directly, without BFM ? (will it make a difference, performance wise, and reaction-time wise?)
I thought of using the country block in CSF, but blocking out Asia for a while probably will kill the performance of the server, because of the amount of lines added to iptables to do so.
any adivice is much appreciated
Thanks
just looking for some advice or experiences
I'm hit (or my server is) with a sudden increase of brute force attacs to exim
it comes from a various range of IP addresses (germany, vietnam, china, russia, france, ... besically, Europe and Asia...)
they all target info, admin, support AT thesamedomain.be
(so it seems they attacker only targets 1 domain for now)
(those users do not exist for that domain)
in BFM I can see
for each ipaddress I find 2 lines :
Code:
2014-02-10 14:04:49 login authenticator failed for (home-PC) [5.102.206.28]: 535 Incorrect authentication data ([email protected])
2014-02-10 14:04:48 plain authenticator failed for (home-PC) [5.102.206.28]: 535 Incorrect authentication data ([email protected])
then the same with another IP
about 1 attempt every minute, sometimes 2 or 3
I noticed this on friday
I'm also using CSF on this server, for the brute force settings I've set
Notify Admins after an IP has 3 login failures on any account.
Notify Admins after a User has 3 login failures from any IP.
and I am using the the block script
(so that after 3 attempts from the same IP, it gets blocked in CSF)
I'm inclined to even put that to 1 for a while, so the ip gets blocked immediately after 1 attempt
is there anything else I can do to kill or cut off that attack?
e.g block it in CSF directly, without BFM ? (will it make a difference, performance wise, and reaction-time wise?)
I thought of using the country block in CSF, but blocking out Asia for a while probably will kill the performance of the server, because of the amount of lines added to iptables to do so.
any adivice is much appreciated
Thanks