Distributed IPs attack over large timespan

Post Reply
zsimaiof
Junior Member
Posts: 2
Joined: 14 Sep 2023, 08:04

Distributed IPs attack over large timespan

Post by zsimaiof »

Hello,
i am facing a big problem?
I am using csf with cpanel / whm .
Please take a look at this part of the exim_mainlog which indicates some of the 4000 dovecot failed logins over the last 5 days. :

Code: Select all

	Line 118101: 2023-09-15 06:54:10 dovecot_login authenticator failed for 107.40.3.213.static.wline.lns.sme.cust.swisscom.ch [213.3.40.107]:43582: 535 Incorrect authentication data (set_id=abuse@domain.com)
	Line 118104: 2023-09-15 06:54:23 dovecot_login authenticator failed for (187-93-74-213.customer.tdatabrasil.net.br) [187.50.67.114]:36717: 535 Incorrect authentication data (set_id=abuse)
	Line 118110: 2023-09-15 06:55:16 dovecot_login authenticator failed for ([82.102.157.161]) [82.102.157.161]:37405: 535 Incorrect authentication data (set_id=milkplan@domain.com)
	Line 118115: 2023-09-15 06:55:26 dovecot_login authenticator failed for (azteca-comunicaciones.com) [186.179.100.229]:1279: 535 Incorrect authentication data (set_id=milkplan)
	Line 118132: 2023-09-15 06:57:22 dovecot_login authenticator failed for (vipturbo.com.br) [191.36.156.53]:42420: 535 Incorrect authentication data (set_id=mailer-daemon@athos-villas.gr)
	Line 118134: 2023-09-15 06:57:36 dovecot_login authenticator failed for mail.simplexinfra.co.in [115.248.74.208]:40317: 535 Incorrect authentication data (set_id=mailer-daemon)
	Line 118159: 2023-09-15 07:01:27 dovecot_login authenticator failed for h-94-254-12-27.a268.priv.bahnhof.se [94.254.12.27]:37264: 535 Incorrect authentication data (set_id=webmaster@domain.com)
	Line 118162: 2023-09-15 07:01:42 dovecot_login authenticator failed for ([120.201.248.7]) [120.201.248.6]:2363: 535 Incorrect authentication data (set_id=webmaster)
	Line 118167: 2023-09-15 07:02:09 dovecot_login authenticator failed for ([223.84.248.209]) [223.84.248.209]:1430: 535 Incorrect authentication data (set_id=k.nancy@domain.com)
	Line 118172: 2023-09-15 07:02:25 dovecot_login authenticator failed for ([113.107.244.103]) [14.155.212.100]:34788: 535 Incorrect authentication data (set_id=k.nancy)
	Line 118175: 2023-09-15 07:04:43 dovecot_login authenticator failed for (m121-202-193-32.smartone.com) [121.202.193.32]:35514: 535 Incorrect authentication data (set_id=mailer-daemon@domain.com)
	Line 118179: 2023-09-15 07:04:54 dovecot_login authenticator failed for ([60.172.54.36]) [60.172.54.36]:47256: 535 Incorrect authentication data (set_id=mailer-daemon)
	Line 118193: 2023-09-15 07:06:53 dovecot_login authenticator failed for ([219.159.229.112]) [219.159.229.112]:34905: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 118197: 2023-09-15 07:07:07 dovecot_login authenticator failed for (fibra-a-la-casa-189-226.jdimax.com) [190.93.189.226]:34827: 535 Incorrect authentication data (set_id=sav@domain.com)
	Line 118203: 2023-09-15 07:07:23 dovecot_login authenticator failed for (120.245.223.60.adsl-pool.sx.cn) [60.223.245.120]:43068: 535 Incorrect authentication data (set_id=sav)
	Line 118205: 2023-09-15 07:07:28 dovecot_login authenticator failed for ([111.23.117.97]) [111.23.117.97]:47113: 535 Incorrect authentication data (set_id=welcome)
	Line 118213: 2023-09-15 07:09:46 dovecot_login authenticator failed for (abts-kk-static-192.252.166.122.airtelbroadband.in) [122.166.252.192]:33800: 535 Incorrect authentication data (set_id=n.kor@domain.com)
	Line 118216: 2023-09-15 07:09:59 dovecot_login authenticator failed for ([129.146.164.36]) [129.146.164.36]:42231: 535 Incorrect authentication data (set_id=n.kor)
	Line 118217: 2023-09-15 07:10:01 dovecot_login authenticator failed for ([58.218.45.38]) [58.218.45.38]:35791: 535 Incorrect authentication data (set_id=n.kor@domain.com)
	Line 118229: 2023-09-15 07:11:41 dovecot_login authenticator failed for ([203.91.121.231]) [203.91.121.231]:42142: 535 Incorrect authentication data (set_id=accounting@domain.com)
	Line 118232: 2023-09-15 07:11:59 dovecot_login authenticator failed for (vipturbo.com.br) [191.36.147.25]:44499: 535 Incorrect authentication data (set_id=accounting)
	Line 118235: 2023-09-15 07:12:23 dovecot_login authenticator failed for ([61.81.4.43]) [61.81.4.43]:51986: 535 Incorrect authentication data (set_id=mailer-daemon@domain.com.com)
	Line 118239: 2023-09-15 07:12:35 dovecot_login authenticator failed for ([39.165.99.219]) [39.165.99.219]:35693: 535 Incorrect authentication data (set_id=mailer-daemon)
	Line 118245: 2023-09-15 07:13:39 dovecot_login authenticator failed for 93-42-155-2.ip87.fastwebnet.it [93.42.155.2]:49930: 535 Incorrect authentication data (set_id=k.krit@domain.com)
	Line 118249: 2023-09-15 07:13:51 dovecot_login authenticator failed for ([193.200.116.76]) [193.200.116.76]:57910: 535 Incorrect authentication data (set_id=k.krit)
	Line 118254: 2023-09-15 07:14:38 dovecot_login authenticator failed for ([61.143.59.18]) [61.143.59.18]:42181: 535 Incorrect authentication data
	Line 118258: 2023-09-15 07:14:53 dovecot_login authenticator failed for ([171.212.103.245]) [171.212.103.245]:37002: 535 Incorrect authentication data (set_id=kor@domain.com)
	Line 118261: 2023-09-15 07:15:09 dovecot_login authenticator failed for (dynamic-ip-adsl.metfone.com.kh) [175.100.107.238]:44302: 535 Incorrect authentication data (set_id=kor)
	Line 118301: 2023-09-15 07:17:11 dovecot_login authenticator failed for ([103.159.21.115]) [103.159.21.114]:56234: 535 Incorrect authentication data (set_id=exports@domain.com)
	Line 118304: 2023-09-15 07:17:29 dovecot_login authenticator failed for 111-70-5-129.emome-ip.hinet.net [111.70.5.129]:36944: 535 Incorrect authentication data (set_id=exports)
	Line 118318: 2023-09-15 07:19:33 dovecot_login authenticator failed for ([114.107.225.104]) [114.107.225.104]:48236: 535 Incorrect authentication data (set_id=sav@domain.com)
	Line 118322: 2023-09-15 07:19:55 dovecot_login authenticator failed for ([138.2.32.177]) [36.161.239.121]:37396: 535 Incorrect authentication data (set_id=sav)
	Line 118374: 2023-09-15 07:25:05 dovecot_login authenticator failed for (m121-202-200-207.smartone.com) [121.202.200.207]:53882: 535 Incorrect authentication data (set_id=menteti@domain.com)
	Line 118379: 2023-09-15 07:25:22 dovecot_login authenticator failed for (177.76.245.49.unknown.m1.com.sg) [49.245.76.177]:34753: 535 Incorrect authentication data (set_id=menteti)
	Line 118381: 2023-09-15 07:25:31 dovecot_login authenticator failed for ([139.198.16.118]) [139.198.16.118]:51210: 535 Incorrect authentication data (set_id=tri@domain.com)
	Line 118391: 2023-09-15 07:25:51 dovecot_login authenticator failed for ([36.97.144.36]) [36.97.144.36]:47505: 535 Incorrect authentication data (set_id=tri)
	Line 118395: 2023-09-15 07:26:38 dovecot_login authenticator failed for (abts-north-static-241.26.176.122.airtelbroadband.in) [122.176.26.241]:52612: 535 Incorrect authentication data (set_id=mailer-daemon@domain.com)
	Line 118398: 2023-09-15 07:26:47 dovecot_login authenticator failed for (88-149-198-156.static.eolo.it) [88.149.198.156]:39192: 535 Incorrect authentication data (set_id=mailer-daemon)
	Line 118402: 2023-09-15 07:27:34 dovecot_login authenticator failed for ([222.218.17.199]) [222.218.17.199]:56503: 535 Incorrect authentication data (set_id=lsimeridis@domain.com)
	Line 118405: 2023-09-15 07:27:55 dovecot_login authenticator failed for (abts-tn-static-124.232.165.122.airtelbroadband.in) [49.204.132.90]:64302: 535 Incorrect authentication data (set_id=lsimeridis)
	Line 118535: 2023-09-15 07:37:11 dovecot_login authenticator failed for (nsg-corporate-212.230.187.122.airtel.in) [122.187.230.212]:34317: 535 Incorrect authentication data (set_id=hr@domain.com)
	Line 118544: 2023-09-15 07:37:34 dovecot_login authenticator failed for ([112.26.99.92]) [112.26.99.92]:39886: 535 Incorrect authentication data
	Line 118547: 2023-09-15 07:37:42 dovecot_login authenticator failed for ([218.56.153.66]) [218.56.155.106]:40863: 535 Incorrect authentication data (set_id=k.nancy@domain.com)
	Line 118553: 2023-09-15 07:37:46 dovecot_login authenticator failed for (nsg-corporate-174.229.187.122.airtel.in) [122.187.229.174]:54132: 535 Incorrect authentication data (set_id=hr)
	Line 118557: 2023-09-15 07:38:02 dovecot_login authenticator failed for ([39.152.8.214]) [39.152.8.214]:59976: 535 Incorrect authentication data (set_id=k.nancy)
	Line 118570: 2023-09-15 07:42:31 dovecot_login authenticator failed for (18.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:45998: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 118574: 2023-09-15 07:43:03 dovecot_login authenticator failed for ([221.0.111.113]) [221.0.111.113]:51650: 535 Incorrect authentication data (set_id=welcome)
	Line 118582: 2023-09-15 07:45:18 dovecot_login authenticator failed for (dhcp.tripleplay.in) [103.253.175.12]:38046: 535 Incorrect authentication data (set_id=tri@domain.com)
	Line 118589: 2023-09-15 07:45:50 dovecot_login authenticator failed for ([115.23.23.94]) [115.23.23.94]:45480: 535 Incorrect authentication data (set_id=tri)
	Line 118604: 2023-09-15 07:46:52 dovecot_login authenticator failed for ([165.169.72.234]) [165.169.72.234]:57020: 535 Incorrect authentication data (set_id=athos-villas@athos-villas.gr)
	Line 118609: 2023-09-15 07:47:04 dovecot_login authenticator failed for ([41.175.29.82]) [41.175.29.82]:57869: 535 Incorrect authentication data (set_id=athos-villas)
	Line 118611: 2023-09-15 07:47:17 dovecot_login authenticator failed for (gen-173-095-235-227.biz.spectrum.com) [173.95.235.227]:35440: 535 Incorrect authentication data (set_id=accounting@domain.com)
	Line 118614: 2023-09-15 07:47:35 dovecot_login authenticator failed for (138.219.244.10.static.softdados.net) [138.219.244.10]:50064: 535 Incorrect authentication data (set_id=accounting)
	Line 118635: 2023-09-15 07:49:10 dovecot_login authenticator failed for ([58.254.188.225]) [58.254.188.225]:51231: 535 Incorrect authentication data (set_id=k.krit@domain.com)
	Line 118642: 2023-09-15 07:49:36 dovecot_login authenticator failed for ([115.46.88.68]) [115.46.88.68]:47400: 535 Incorrect authentication data (set_id=k.krit)
	Line 118644: 2023-09-15 07:49:44 dovecot_login authenticator failed for (host103-163-100-78.entirebroadband.com) [103.163.100.78]:44726: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 118648: 2023-09-15 07:50:03 dovecot_login authenticator failed for ([211.105.186.192]) [211.105.186.192]:45002: 535 Incorrect authentication data (set_id=welcome)
	Line 118668: 2023-09-15 07:50:42 dovecot_login authenticator failed for (static.vnpt.vn) [117.4.201.6]:63265: 535 Incorrect authentication data (set_id=menteti@domain.com)
	Line 118671: 2023-09-15 07:50:58 dovecot_login authenticator failed for 111-70-15-198.emome-ip.hinet.net [111.70.15.198]:60341: 535 Incorrect authentication data (set_id=menteti)
	Line 118687: 2023-09-15 07:51:50 dovecot_login authenticator failed for ([103.145.27.106]) [103.145.27.1]:48782: 535 Incorrect authentication data (set_id=exports@domain.com)
	Line 118691: 2023-09-15 07:52:04 dovecot_login authenticator failed for ([110.242.49.234]) [110.242.49.234]:33535: 535 Incorrect authentication data (set_id=exports)
	Line 118779: 2023-09-15 08:05:02 dovecot_login authenticator failed for (ip-201-168-130-242.marcatel.net.mx) [201.168.130.242]:37164: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 118781: 2023-09-15 08:05:03 dovecot_login authenticator failed for (56.188.165.124.adsl-pool.sx.cn) [116.135.13.165]:44984: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 118784: 2023-09-15 08:05:11 dovecot_login authenticator failed for (8.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:33166: 535 Incorrect authentication data (set_id=webmaster@domain.com)
	Line 118793: 2023-09-15 08:05:21 dovecot_login authenticator failed for ([106.51.64.74]) [106.51.64.74]:42342: 535 Incorrect authentication data (set_id=welcome)
	Line 118798: 2023-09-15 08:05:26 dovecot_login authenticator failed for ([111.40.89.207]) [111.40.89.207]:43555: 535 Incorrect authentication data (set_id=webmaster)
	Line 118801: 2023-09-15 08:05:34 dovecot_login authenticator failed for ([115.236.24.10]) [115.236.24.10]:50979: 535 Incorrect authentication data (set_id=welcome)
	Line 118803: 2023-09-15 08:05:36 dovecot_login authenticator failed for ([211.226.37.220]) [211.226.37.220]:45342: 535 Incorrect authentication data (set_id=exports@domain.com)
	Line 118806: 2023-09-15 08:05:53 dovecot_login authenticator failed for cpe-70-114-142-208.austin.res.rr.com [70.114.142.208]:48350: 535 Incorrect authentication data (set_id=exports)
	Line 118855: 2023-09-15 08:07:53 dovecot_login authenticator failed for ([203.90.233.59]) [173.248.245.77]:60470: 535 Incorrect authentication data (set_id=milkplan@domain.com)
	Line 118860: 2023-09-15 08:08:31 dovecot_login authenticator failed for ([113.203.194.223]) [113.203.194.223]:43554: 535 Incorrect authentication data (set_id=milkplan)
	Line 118864: 2023-09-15 08:08:53 dovecot_login authenticator failed for ([1.254.140.135]) [1.254.140.135]:53920: 535 Incorrect authentication data (set_id=milkplan)
	Line 118987: 2023-09-15 08:15:43 dovecot_login authenticator failed for ([61.183.43.155]) [61.183.43.155]:52726: 535 Incorrect authentication data (set_id=postmaster@domain.com)
	Line 118991: 2023-09-15 08:15:56 dovecot_login authenticator failed for ([200.174.29.180]) [200.174.29.180]:31582: 535 Incorrect authentication data (set_id=postmaster)
	Line 119149: 2023-09-15 08:21:35 dovecot_login authenticator failed for ([61.81.143.68]) [61.81.143.68]:44354: 535 Incorrect authentication data (set_id=postmaster@domain.com)
	Line 119166: 2023-09-15 08:21:48 dovecot_login authenticator failed for ([14.51.14.47]) [14.51.14.47]:42562: 53a5 Incorrect authentication data (set_id=postmaster)
	Line 119211: 2023-09-15 08:22:55 dovecot_login authenticator failed for ([120.195.116.114]) [120.195.116.114]:7610: 535 Incorrect authentication data (set_id=accounting@domain.com)
	Line 119214: 2023-09-15 08:23:00 dovecot_login authenticator failed for 51.42.72.34.bc.googleusercontent.com [34.72.42.51]:52101: 535 Incorrect authentication data (set_id=k.nancy@domain.com)
	Line 119233: 2023-09-15 08:23:17 dovecot_login authenticator failed for ([164.164.112.10]) [164.164.112.10]:45924: 535 Incorrect authentication data (set_id=k.nancy)
	Line 119234: 2023-09-15 08:23:18 dovecot_login authenticator failed for ([112.5.10.207]) [112.5.10.207]:45517: 535 Incorrect authentication data (set_id=accounting)
	Line 119512: 2023-09-15 08:29:54 dovecot_login authenticator failed for (201-174-58-110.transtelco.net) [201.174.58.110]:38922: 535 Incorrect authentication data (set_id=k.krit@domain.com)
	Line 119515: 2023-09-15 08:30:09 dovecot_login authenticator failed for (abts-mum-static-207.112.70.182.airtelbroadband.in) [182.70.112.207]:53190: 535 Incorrect authentication data (set_id=k.krit)
	Line 119557: 2023-09-15 08:33:25 dovecot_login authenticator failed for ([106.91.215.99]) [106.91.215.99]:41172: 535 Incorrect authentication data (set_id=welcome@domain.com)
	Line 119561: 2023-09-15 08:33:39 dovecot_login authenticator failed for (nsg-corporate-80.229.187.122.airtel.in) [122.187.229.80]:50552: 535 Incorrect authentication data (set_id=welcome)
	Line 119657: 2023-09-15 08:38:56 dovecot_login authenticator failed for ([176.121.215.2]) [176.121.215.2]:53062: 535 Incorrect authentication data (set_id=sav@domain.com)
	Line 119673: 2023-09-15 08:39:18 dovecot_login authenticator failed for ([223.84.248.209]) [223.84.248.209]:1561: 535 Incorrect authentication data (set_id=sav)
	Line 119689: 2023-09-15 08:41:09 dovecot_login authenticator failed for ([196.28.226.66]) [196.28.226.66]:56066: 535 Incorrect authentication data (set_id=accounting@domain.com)
	Line 119695: 2023-09-15 08:41:26 dovecot_login authenticator failed for (103.249.163.124.adsl-pool.sx.cn) [124.163.249.13]:28560: 535 Incorrect authentication data (set_id=accounting)
	Line 119761: 2023-09-15 08:45:04 dovecot_login authenticator failed for (183.70.4.122.broad.qd.sd.dynamic.163data.com.cn) [122.4.70.58]:41610: 535 Incorrect authentication data (set_id=abuse@domain.com.com)
	Line 119773: 2023-09-15 08:45:25 dovecot_login authenticator failed for ([103.146.50.91]) [103.146.50.91]:59586: 535 Incorrect authentication data (set_id=abuse)
	Line 119781: 2023-09-15 08:46:04 dovecot_login authenticator failed for ([61.153.208.38]) [61.153.208.38]:13077: 535 Incorrect authentication data (set_id=menteti@domain.com)
	Line 119788: 2023-09-15 08:46:22 dovecot_login authenticator failed for ([223.83.138.102]) [223.83.138.102]:53407: 535 Incorrect authentication data (set_id=menteti)
The crazy thing is that the same IP is used only a few times or even only a single time.

And even if it's used more than one time the attempts (coming from that particular IP), are spreaded over a timespan of many hours or even days.

What can i do to stop this?

Increasing the LF_INTERVAL and lowering the LF_SMTPAUTH (to 2 or 3) could only stop only a small part of these attempts.

I have strong passwords at my email accounts and besided most of the usernames they try do not even exist.

Is there any other way to force stop these attacks?



but they won't stop.

Please help :(
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Distributed IPs attack over large timespan

Post by Sergio »

One option could be to use cPhulk to block those attacks.
Also, you can create your own script to block a 0/24 if more than 10 different IPs from the same 0/24 range are attacking your server.
Post Reply