I have noticed a brute force attack on my server
2014-03-27 01:34:02 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:14 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:22865: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
the forum will not let me post the URL in the log for some reason
"c-98-230-172-199*hsd1*ga*comcast*net"
There are over 4000 attempts but the IP did not get blocked.
Am I missing a setting as most attacks are stopped within 10 attempts or so.
Thanks
Billy
Am I missing something simple here
-
- Junior Member
- Posts: 4
- Joined: 28 Mar 2014, 11:57
- Location: United Kingdom
Re: Am I missing something simple here
Check this below settings , what is the settings you have?
LF_PERMBLOCK = Default: 1 [0-1]
LF_PERMBLOCK_INTERVAL = Default: 86400 [3600-604800]
LF_PERMBLOCK_COUNT = Default: 4 [1-20]
LF_PERMBLOCK_ALERT = Default: 1 [0-1]
LF_PERMBLOCK = Default: 1 [0-1]
LF_PERMBLOCK_INTERVAL = Default: 86400 [3600-604800]
LF_PERMBLOCK_COUNT = Default: 4 [1-20]
LF_PERMBLOCK_ALERT = Default: 1 [0-1]
-
- Junior Member
- Posts: 4
- Joined: 28 Mar 2014, 11:57
- Location: United Kingdom
Re: Am I missing something simple here
hi lfwej,
I have the default settings
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL =86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
I have the default settings
LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL =86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1
-
- Junior Member
- Posts: 4
- Joined: 28 Mar 2014, 11:57
- Location: United Kingdom
Re: Am I missing something simple here
I have a feeling that csf or my server configuration was overwhelmed by this attack.
I am going to put together the list of events that I see in the logs and hopefully someone will be able to shed some light on this so I can prevent this form happening again.
I am going to put together the list of events that I see in the logs and hopefully someone will be able to shed some light on this so I can prevent this form happening again.
-
- Moderator
- Posts: 1524
- Joined: 01 Oct 2008, 09:24
Re: Am I missing something simple here
Those log lines are not ones that trigger anything in csf as they are not authentication failures as such. The error suggests that the authentication daemon is being flooded with requests and is unable to cope with the number of requests.
-
- Junior Member
- Posts: 4
- Joined: 28 Mar 2014, 11:57
- Location: United Kingdom
Re: Am I missing something simple here
Thanks For the reply
Yes... that is what I have come to realise. (I'm very new to this)
I tyring to work out how the precess works and how csf stops such attacks.
When I am going through the logs to see what happened I have noticed that there are lots of connections like this (connections reach 100)
Does csf not count each of the connections in the above logs or are they not true connections
Yes... that is what I have come to realise. (I'm very new to this)
I tyring to work out how the precess works and how csf stops such attacks.
When I am going through the logs to see what happened I have noticed that there are lots of connections like this (connections reach 100)
Code: Select all
2014-03-27 01:33:39 SMTP connection from [98.230.172.199]:57734 (TCP/IP connection count = 1)
2014-03-27 01:33:47 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:57734 closed by QUIT
2014-03-27 01:33:48 SMTP connection from [127.0.0.1]:35093 (TCP/IP connection count = 1)
2014-03-27 01:33:49 SMTP connection from [98.230.172.199]:45213 (TCP/IP connection count = 2)
2014-03-27 01:33:50 SMTP connection from localhost [127.0.0.1]:35093 closed by QUIT
2014-03-27 01:33:52 SMTP connection from [98.230.172.199]:42769 (TCP/IP connection count = 2)
2014-03-27 01:33:59 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:42769 closed by QUIT
2014-03-27 01:34:00 SMTP connection from [98.230.172.199]:12466 (TCP/IP connection count = 2)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:22865 (TCP/IP connection count = 3)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:57938 (TCP/IP connection count = 4)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:4770 (TCP/IP connection count = 5)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:13254 (TCP/IP connection count = 6)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:53809 (TCP/IP connection count = 7)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:6201 (TCP/IP connection count = 8)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:58590 (TCP/IP connection count = 9)
2014-03-27 01:34:02 courier_login authenticator failed for c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:03 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213 lost
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:18146 (TCP/IP connection count = 9)
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:2203 (TCP/IP connection count = 10)