Page 1 of 1

dovecot_login authenticator failed for (ylmf-pc)

Posted: 20 Aug 2011, 08:28
by vmicovic
Hello

i am using your csf service for 2 dedicated server where i got almost all next day attack report from different IP address on both server with same computer name:

1.
Time: Thu Aug 18 11:46:45 2011 -0500
IP: 183.1.164.118 (CN/China/-)
Failures: 5 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:

2011-08-18 11:46:24 dovecot_login authenticator failed for (ylmf-pc) [183.1.164.118]: 535 Incorrect authentication data (set_id=designs)
2011-08-18 11:46:30 dovecot_login authenticator failed for (ylmf-pc) [183.1.164.118]: 535 Incorrect authentication data (set_id=designs)
2011-08-18 11:46:34 dovecot_login authenticator failed for (ylmf-pc) [183.1.164.118]: 535 Incorrect authentication data (set_id=designs)
2011-08-18 11:46:38 dovecot_login authenticator failed for (ylmf-pc) [183.1.164.118]: 535 Incorrect authentication data (set_id=designs)
2011-08-18 11:46:42 dovecot_login authenticator failed for (ylmf-pc) [183.1.164.118]: 535 Incorrect authentication data (set_id=designs)

2.
Time: Sat Aug 20 02:11:48 2011 +0100
IP: 59.58.240.66 (CN/China/-)
Failures: 10 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:

2011-08-20 02:10:52 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:10:58 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:04 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:10 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:16 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:22 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:28 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:33 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:39 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)
2011-08-20 02:11:45 dovecot_login authenticator failed for (ylmf-pc) [59.58.240.66]: 535 Incorrect authentication data (set_id=enquiries)



I search on internet to see is there any other have same problem and yes, please check:
https://encrypted.google.com/search?q=d ... 54&bih=771


Does maybe anyone know is this mistake by csf or what?



thank you!

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 24 Aug 2011, 17:05
by vmicovic
i temporary resolve this with ban CN country.

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 29 Aug 2011, 10:48
by chirpy
What, exactly, isn't csf doing that it should? It's detected the attempt and blocked it.

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 13 Oct 2011, 04:31
by mikelegg
CSF does it's job by blocking the source IPs of these brute force hacking attempts. As a result, it's continually blocking dozens of IPs.

Does anyone know a way (via CSF, mod_security or some other means) to block all SMTP traffic that originates from computers named "ylmf-pc"?

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 13 Oct 2011, 06:00
by Sergio
It is not possible to know the name of the computer in Apache, so mod_security couldn't help. The best way to deal with this is to block the range of IPs that are trying to hack into your accounts.

What I have done to block this, is to create a set of rules in IPTABLES to block the range of the offending IP, as one entire country as China is, will fill 3,496 IPTABLES rules.

So, for example, if the offending IP is 59.58.240.66, you can block the range at what the IP belongs, in this case 59.56.0.0/14. In my case I have, so far, blocked 71 IP ranges and the attacks stopped, and 71 rules are better than 3,500.

To have a list of China's IP address, you can download it from countryipblocks dot net.

Also, try to build your own IPTABLE chain, being careful to create your cfspost.sh script in order to rebuild your chain everytime that CSF is restarted.

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 18 Oct 2011, 06:14
by mikelegg
That's a good idea Sergio. I tend to do that any time I get multiple Chinese IPs blocked within a single range.

At the moment I'm looking at what can be done in Exim. The acl_smtp_connect rule might be helpful, but I don't know what it's full capabilities are yet.

Re: dovecot_login authenticator failed for (ylmf-pc)

Posted: 24 Jul 2013, 03:54
by yiapls
I've the same experience, blocking china ip will not solve the issue, because it's not just coming from china. Any suggestion?

1. )
Time: Wed Jul 24 10:35:27 2013 +0800
IP: 1.186.83.36 (IN/India/1.186.83.36)
Failures: 15 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

2013-07-24 10:34:44 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:57088: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:34:47 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:62564: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:34:50 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:61863: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:34:53 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:49477: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:34:56 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:55963: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:34:59 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:58445: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:02 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:62695: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:05 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:52527: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:08 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:62039: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:12 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:60695: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:15 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:62872: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:18 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:57838: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:21 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:64823: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:24 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:54194: 535 Incorrect authentication data (set_id=info)
2013-07-24 10:35:27 dovecot_login authenticator failed for (ylmf-pc) [1.186.83.36]:53498: 535 Incorrect authentication data (set_id=info)

2. )
Time: Fri Jun 21 22:22:40 2013 +0800
IP: 209.105.176.15 (US/United States/dsl-209-105-176-15)
Failures: 15 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

2013-06-21 22:22:10 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:15998: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:12 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:61863: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:14 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:33018: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:16 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:23482: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:18 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:6972: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:20 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:65489: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:22 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:52021: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:24 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:5236: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:26 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:63516: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:28 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:29209: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:30 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:42814: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:32 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:61705: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:34 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:55836: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:36 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:11335: 535 Incorrect authentication data (set_id=info)
2013-06-21 22:22:38 dovecot_login authenticator failed for (ylmf-pc) [209.105.176.15]:62093: 535 Incorrect authentication data (set_id=info)


3. )
Time: Fri Jun 21 03:46:19 2013 +0800
IP: 206.205.106.148 (US/United States/-)
Failures: 15 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

2013-06-21 03:43:09 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:3885: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:43:12 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:1539: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:43:15 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:2367: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:43:17 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:1251: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:43:30 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:4237: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:43:57 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:3407: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:44:28 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:1624: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:44:31 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:1849: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:45:06 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:3835: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:45:37 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:2835: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:45:40 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:3844: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:45:43 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:4676: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:46:06 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:2157: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:46:10 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:2422: 535 Incorrect authentication data (set_id=info)
2013-06-21 03:46:14 dovecot_login authenticator failed for (ylmf-pc) [206.205.106.148]:3097: 535 Incorrect authentication data (set_id=info)


4. )
Time: Wed Jun 12 09:51:56 2013 +0800
IP: 109.169.72.36 (US/United States/-)
Failures: 15 (smtpauth)
Interval: 300 seconds
Blocked: Permanent Block

Log entries:

2013-06-12 09:51:26 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:52193: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:28 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:52577: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:30 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:52928: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:32 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:53296: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:34 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:53655: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:36 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:53981: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:38 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:54335: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:40 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:54669: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:42 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:55022: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:44 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:55369: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:46 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:55709: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:48 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:56036: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:50 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:56363: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:52 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:56619: 535 Incorrect authentication data (set_id=info)
2013-06-12 09:51:54 dovecot_login authenticator failed for (ylmf-pc) [109.169.72.36]:56929: 535 Incorrect authentication data (set_id=info)