Hello all,
In order to block distributed SMTP attacks using hacked passwords, I have set the following parameters:
LF_INTERVAL = 600
LF_DISTATTACK = 1
LF_DISTSMTP = 3
LF_DISTSMTP_UNIQ = 3
LF_DISTSMTP_PERM = 1
I also have some IPs listed in csf.allow and lfd.ignore. It seems that everytime someone sends ONE email from any of the ignored IP, an entry is added to the lfd.log file (below).
Oct 29 15:56:05 server1 lfd[13442]: Distributed SMTP 207.x.y.226 - ignored
Oct 29 15:56:35 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
Oct 29 15:56:35 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
Oct 29 15:57:40 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
Oct 29 15:57:40 server1 lfd[13442]: Distributed SMTP 70.x.y.161 - ignored
Oct 29 16:00:20 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
Oct 29 16:01:20 server1 lfd[13442]: Distributed SMTP 208.x.y.162 - ignored
Oct 29 16:03:00 server1 lfd[13442]: Distributed SMTP 208.x.y.162 - ignored
Oct 29 16:04:05 server1 lfd[13442]: Distributed SMTP 208.x.y.162 - ignored
Oct 29 16:04:56 server1 lfd[13442]: Distributed SMTP 207.x.y.226 - ignored
Oct 29 16:05:51 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
Oct 29 16:07:38 server1 lfd[13442]: Distributed SMTP 208.x.y.162 - ignored
Oct 29 16:08:08 server1 lfd[13442]: Distributed SMTP 162.x.y.66 - ignored
This is not a huge problem, but annoying because the lfd.log gets filled with entries I don't care about. Can the DIST ATTACK engine NOT log these ignored IPs?
Thanks!
LF_DISTSMTP log entries for ignored IPs
-
ForumAdmin
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: LF_DISTSMTP log entries for ignored IPs
This has now been introduced in csf v5.68:
http://blog.configserver.com/index.php?itemid=683
http://blog.configserver.com/index.php?itemid=683