I'm trying to prevent the following example (seen in /var/log/exim/main.log)
Code: Select all
2019-09-02 17:00:04 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:00:28 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:00:50 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:14 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:43 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:57 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:02:21 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:02:43 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:06 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:28 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:51 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:13 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:34 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:56 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:05:20 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:05:41 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:04 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:26 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:48 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:07:16 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:07:40 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
Code: Select all
RESTRICT_SYSLOG = "2"
RESTRICT_SYSLOG_GROUP = "mysyslog"
LF_TRIGGER = "0"
LF_SELECT = "0"
LF_IMAPD = "3"
LF_IMAPD_PERM = "1"
I believe blocked IP addresses are supposed to show in /etc/csf/csf.deny (?) but there are no recent IP addresses posted there. LFD is running because I have various entries in /var/log/lfd.log - for example:
Code: Select all
Sep 2 17:25:37 server lfd[24663]: *Suspicious Process* PID:5106 PPID:8814 User:dovenull Uptime:25323 secs EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep 2 17:25:37 server lfd[24663]: *User Processing* PID:5106 Kill:0 User:dovenull Time:25323 EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep 2 17:26:37 server lfd[24945]: *Suspicious Process* PID:5265 PPID:8814 User:dovenull Uptime:25299 secs EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep 2 17:26:37 server lfd[24945]: *User Processing* PID:5265 Kill:0 User:dovenull Time:25299 EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login