ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

LFD fails to block spamming of 'dovecot_login authenticator failed for...'

https://mail.forum.configserver.com/viewtopic.php?t=11457

Page 1 of 1

LFD fails to block spamming of 'dovecot_login authenticator failed for...'

Posted: 02 Sep 2019, 17:36
by JimDeadlock
I have a VPS running CentOS 7 and CSF/LFD installed under the Webuzo management system.

I'm trying to prevent the following example (seen in /var/log/exim/main.log)

Code: Select all

2019-09-02 17:00:04 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:00:28 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:00:50 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:14 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:43 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:01:57 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:02:21 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:02:43 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:06 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:28 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:03:51 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:13 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:34 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:04:56 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:05:20 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:05:41 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:04 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:26 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:06:48 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:07:16 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
2019-09-02 17:07:40 dovecot_login authenticator failed for (eusfjgjxli.com) [220.161.79.177]: 535 Incorrect authentication data
I've set the following in /etc/csf/csf.conf and done 'sudo csf -r' and 'sudo lfd -r' but the failed login spamming continues

Code: Select all

RESTRICT_SYSLOG = "2"
RESTRICT_SYSLOG_GROUP = "mysyslog"
LF_TRIGGER = "0"
LF_SELECT = "0"
LF_IMAPD = "3"
LF_IMAPD_PERM = "1"
Full csf.conf is here: https://pastebin.com/sT4qQmLx

I believe blocked IP addresses are supposed to show in /etc/csf/csf.deny (?) but there are no recent IP addresses posted there. LFD is running because I have various entries in /var/log/lfd.log - for example:

Code: Select all

Sep  2 17:25:37 server lfd[24663]: *Suspicious Process* PID:5106 PPID:8814 User:dovenull Uptime:25323 secs EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep  2 17:25:37 server lfd[24663]: *User Processing* PID:5106 Kill:0 User:dovenull Time:25323 EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep  2 17:26:37 server lfd[24945]: *Suspicious Process* PID:5265 PPID:8814 User:dovenull Uptime:25299 secs EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login
Sep  2 17:26:37 server lfd[24945]: *User Processing* PID:5265 Kill:0 User:dovenull Time:25299 EXE:/usr/libexec/dovecot/imap-login CMD:dovecot/imap-login

Re: LFD fails to block spamming of 'dovecot_login authenticator failed for...'

Posted: 03 Sep 2019, 00:40
by BallyBasic79
These failed login attempts can be annoying. I also use CentOS 7 but with cPanel. The cPHulk Brute Force Protection is effective at catching these, but it still fills the logs.

Recently, I enabled custom regex rules to address this very situation. See /usr/local/csf/bin/regex.custom.pm for details, if you are not familiar.

Code: Select all

# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# 535 Incorrect authentication data
# 1 try; 1 day ban [customize]

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*dovecot_.*authenticator failed for.*\[(\S+)\]:\d+:\s+535 Incorrect authentication data .*/)) {
		return ("Authenticator failed: 535 Incorrect authentication data from",$1,"dovecot_authenticator_failed","1","","86400");
	}
Hope this helps! :cool:
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited