Brute pop3 logins attack from one IP not blocked

Post Reply
Achtron
Junior Member
Posts: 15
Joined: 05 Apr 2012, 13:17

Brute pop3 logins attack from one IP not blocked

Post by Achtron »

My server was hit with brute force pop3 logins from one IP continually for about 17 hours until I blocked it. The server maillog registered 41,161 entries for the IP for these hours.

I don't know why this was not blocked automatically by the server but this is the settings for blocking brute force pop3:
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_POP3D = 10
LF_POP3D_PERM = 1
POP3D_LOG = /var/log/maillog (cPanel Centos 6)
I would need help with this if it's available please.
bsntech
Junior Member
Posts: 12
Joined: 29 Mar 2014, 13:36

Re: Brute pop3 logins attack from one IP not blocked

Post by bsntech »

It might depend upon what you are using as the POP3 / IMAP server.

I installed CSF on our servers over the weekend. Noticed that some things did get blocked correctly (like CERTAIN FTP attempts) but others didn't.

In the end, I had to add items to the custom.regex.pm file and create new regex entries to battle others.

As an example, the FTP regexes would catch anything for "SECURITY VIOLATION" but wouldn't stop those fishing for user accounts - "no user found". So I had to create a regex for that.

Also noted that the IMAP and POP3 stuff wasn't working today - so I had to create a couple regexes for those. Then I tested and ensured they were blocking.
Achtron
Junior Member
Posts: 15
Joined: 05 Apr 2012, 13:17

Re: Brute pop3 logins attack from one IP not blocked

Post by Achtron »

Thank you for this advice, it was very helpful.
Post Reply