Request a different interval for LF_DISTSMTP

[chris74]

HI, I'd like to suggest that while using a single LF_INTERVAL is ok for most login failure checking, it might be neccesary for the distributed SMTP checking to have a shorter interval.

In order to tighten things up recently we've had to increase LF_INTERVAL to block IP's over a longer period of time, as the trend from spammers seems to be to re-use the same IP's less frequently, to avoid these detection methods. Gone are the days when they would just keep trying with the same IP in a short space of time. In the past we would set LF_INTERVAL to 5 minutes and set the LF_TRIGGER to 20, because the spammers were just submitting a constant stream of login attempts. They don't do that anymore - they are spreading the attacks over a much longer period of time, using the same IP only a handful of times before switching to a different one. It makes sense that they would do this now that pretty much everyone is using CSF/LFD. Spammers are easily able to get around LFD now because they've worked out that most people use a fairly short LF_INTERVAL.

So we've had to greatly increase the LF_INTERVAL and reduce the LF_TRIGGER and have blocked more than 27,000 IP's in the last 9 weeks, yet we still see email accounts getting compromised almost every day. It may be that we are an extreme case - we are certainly being targetted and have been for several months now. Increasing LF_TRIGGER to a much longer interval has been the only answer.

Anyway....

As LF_DISTSMTP is not actually a login failure check, its a successful login check, the timescale needs to be shorter. So for example, we might want to set LF_DISTSMTP to a minimum of 10 successful logins from 4 different IP's within 5 minutes because that's currently how botnets tend to behave once they have compromised an account. Unfortunately we are restricted to the same LF_INTERVAL used for other LF checks which now require a much longer interval.

So after all that waffle - what I'm asking for is the ability to configure an independent interval for LF_DISTSMTP.

[MaraBlue]

Agreed. We've seen a dramatic increase in SMTP attacks recently, and as you say, they cycle through 100's of IPs. I even reduced the number of failed SMTP login attempts to 2, which blocks more, but increases the noise. I've been going through the docs to see if there's an option to not send an email like there is for port scanning.

[ForumAdmin]

This has now been introduced in csf v5.68:
http://blog.configserver.com/index.php?itemid=683

[MaraBlue]

Awesome!