block on first attempt if target account doesn't exist

curriertech · Post by **curriertech** » 17 Feb 2014, 15:39

I periodically get hammered by distributed attacks, usually against FTP and SMTP, where the bulk of the attempts are using accounts that don't exist on my server. It would be helpful, primarily to control resource consumption, to have an option to block these attempts on the first try while these distributed attacks are happening, without affecting the default settings for valid accounts.

Seventh · Post by **Seventh** » 22 Feb 2014, 05:01

I'd also like to see something like this implemented. Great idea.

Sergio · Post by **Sergio** » 24 Feb 2014, 02:32

CSF is already configured for this using REGEX.CUSTOM.PM, a great tool that left anyone to create custom rules to block any type of attacks at once, read about it on the readme file.

See some rules on the sticky viewtopic.php?f=6&t=7517
I will be adding more from time to time or if someone else contribute to the sticky.

Sergio

curriertech · Post by **curriertech** » 24 Feb 2014, 10:40

Thanks Sergio - the only issue with this approach is that the whole thing is dependent on me maintaining a list of ids that don't exist. These bots are reasonably 'creative' with the ids they use so the list will require frequent maintenance to remain effective.

Sergio · Post by **Sergio** » 24 Feb 2014, 14:13

@curriertech,
I don't think so, you can construct your rule using the error message not the IPs.

Please show us a list of a couple error lines and I will tell you what you can do.

Sergio

curriertech · Post by **curriertech** » 24 Feb 2014, 14:15

Here's an example -

2014-02-24 09:14:02 dovecot_plain authenticator failed for (BSHUNG) [113.184.191.234]:18072: 535 Incorrect authentication data (set_id=admin@nestreetriders.com)

set_id is almost always something that doesn't exist as an account on the server.

Sergio · Post by **Sergio** » 24 Feb 2014, 14:36

I had already created a rule for this, I added to the sticky now.

Sergio

curriertech · Post by **curriertech** » 24 Feb 2014, 16:33

Thanks. The further we get into this, the more I realize that what I want to do probably isn't possible since there's nothing in the log that indicates whether or not the account actually exists. The new rule in the sticky would still only match set_id=admin@, but that wouldn't stop set_id=dell_pc. The other rule is closer but requires manual addition of the set_id values that should be blocked.

Is it possible to have these custom rules use values that are specified in a file? That would certainly allow for some simple automation of adding the set_id values.

Sergio · Post by **Sergio** » 24 Feb 2014, 18:48

curriertech,
you can make your own rule and set it accordingly, your first requirement was to block any IP that wanted to access any of your domains with the account "admin@anydomain.com", so, the rule that I posted does that. I even use that rule in my servers and has blocked a lot of attempts.

Unfortunately, there is no way to have a file where to add values and you don't need it as you can create a rule that blocks any IP with a bad "set_id" unfortunately that will block some of your customers that has a bad email configuration.

ConfigServer Community Forum

block on first attempt if target account doesn't exist

block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist

Re: block on first attempt if target account doesn't exist