I have enabled login failure protection but it is letting a lot of attempts through:
Code: Select all
# [*]Enable login failure detection of sshd connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_SSHD = "5"
LF_SSHD_PERM = "1"
# [*]Enable login failure detection of ftp connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_FTPD = "10"
LF_FTPD_PERM = "1"
# [*]Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "1800"
# [*]Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"
# [*]Enable login failure detection of pop3 connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_POP3D = "10"
LF_POP3D_PERM = "1800"
# [*]Enable login failure detection of imap connections
#
# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
# this file about RESTRICT_SYSLOG before enabling this option:
LF_IMAPD = "10"
LF_IMAPD_PERM = "1800"
However when I check the DirectAdmin logs I get 200 messages per week of:
Code: Select all
A brute force attack has been detected in one of your service logs.
IP 187.253.200.115 has 1605 failed login attempts: exim2=1605
Check 'Admin Level -> Brute Force Monitor' for more information
http://help.directadmin.com/item.php?id=404