Am I missing something simple here

Post Reply
BillyNoMates
Junior Member
Posts: 4
Joined: 28 Mar 2014, 11:57
Location: United Kingdom

Am I missing something simple here

Post by BillyNoMates »

I have noticed a brute force attack on my server

2014-03-27 01:34:02 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:14 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:22865: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition

the forum will not let me post the URL in the log for some reason
"c-98-230-172-199*hsd1*ga*comcast*net"

There are over 4000 attempts but the IP did not get blocked.
Am I missing a setting as most attacks are stopped within 10 attempts or so.

Thanks

Billy
lfwej
Junior Member
Posts: 12
Joined: 21 Mar 2014, 09:59

Re: Am I missing something simple here

Post by lfwej »

Check this below settings , what is the settings you have?

LF_PERMBLOCK = Default: 1 [0-1]
LF_PERMBLOCK_INTERVAL = Default: 86400 [3600-604800]
LF_PERMBLOCK_COUNT = Default: 4 [1-20]
LF_PERMBLOCK_ALERT = Default: 1 [0-1]
BillyNoMates
Junior Member
Posts: 4
Joined: 28 Mar 2014, 11:57
Location: United Kingdom

Re: Am I missing something simple here

Post by BillyNoMates »

hi lfwej,

I have the default settings

LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL =86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
BillyNoMates
Junior Member
Posts: 4
Joined: 28 Mar 2014, 11:57
Location: United Kingdom

Re: Am I missing something simple here

Post by BillyNoMates »

I have a feeling that csf or my server configuration was overwhelmed by this attack.

I am going to put together the list of events that I see in the logs and hopefully someone will be able to shed some light on this so I can prevent this form happening again.
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: Am I missing something simple here

Post by ForumAdmin »

Those log lines are not ones that trigger anything in csf as they are not authentication failures as such. The error suggests that the authentication daemon is being flooded with requests and is unable to cope with the number of requests.
BillyNoMates
Junior Member
Posts: 4
Joined: 28 Mar 2014, 11:57
Location: United Kingdom

Re: Am I missing something simple here

Post by BillyNoMates »

Thanks For the reply

Yes... that is what I have come to realise. (I'm very new to this)
I tyring to work out how the precess works and how csf stops such attacks.

When I am going through the logs to see what happened I have noticed that there are lots of connections like this (connections reach 100)

Code: Select all

2014-03-27 01:33:39 SMTP connection from [98.230.172.199]:57734 (TCP/IP connection count = 1)
2014-03-27 01:33:47 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:57734 closed by QUIT
2014-03-27 01:33:48 SMTP connection from [127.0.0.1]:35093 (TCP/IP connection count = 1)
2014-03-27 01:33:49 SMTP connection from [98.230.172.199]:45213 (TCP/IP connection count = 2)
2014-03-27 01:33:50 SMTP connection from localhost [127.0.0.1]:35093 closed by QUIT
2014-03-27 01:33:52 SMTP connection from [98.230.172.199]:42769 (TCP/IP connection count = 2)
2014-03-27 01:33:59 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:42769 closed by QUIT
2014-03-27 01:34:00 SMTP connection from [98.230.172.199]:12466 (TCP/IP connection count = 2)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:22865 (TCP/IP connection count = 3)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:57938 (TCP/IP connection count = 4)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:4770 (TCP/IP connection count = 5)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:13254 (TCP/IP connection count = 6)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:53809 (TCP/IP connection count = 7)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:6201 (TCP/IP connection count = 8)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:58590 (TCP/IP connection count = 9)
2014-03-27 01:34:02 courier_login authenticator failed for c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:03 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213 lost
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:18146 (TCP/IP connection count = 9)
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:2203 (TCP/IP connection count = 10)
Does csf not count each of the connections in the above logs or are they not true connections
Post Reply