CSF not blocking Exim attack
Posted: 19 Sep 2011, 15:18
Hello all,
I am seeing many failed entry attempts in my "mainlog" for exim. Here is a snippet from that log file:
(I had to xxx out the domain name to post the log)
They go on and on, about 8000 attempts. DirectAdmin's Brute Force Monitor notified me of the attack, but CSF didn't seem to do anything at all. I've manually added the IP address, but assume this sort of attack might happen again.
Does CSF keep an eye on the Exim logs? Is there anyway to capture these sort of attacks in the future?
Thank you for your time.
I am seeing many failed entry attempts in my "mainlog" for exim. Here is a snippet from that log file:
Code: Select all
2011-09-18 16:48:22 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:24 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:26 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:27 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:29 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:31 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:32 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
2011-09-18 16:48:35 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:37 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:39 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:41 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:42 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:44 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:46 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
2011-09-18 16:48:49 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:51 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:52 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:54 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:56 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:58 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:59 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
They go on and on, about 8000 attempts. DirectAdmin's Brute Force Monitor notified me of the attack, but CSF didn't seem to do anything at all. I've manually added the IP address, but assume this sort of attack might happen again.
Does CSF keep an eye on the Exim logs? Is there anyway to capture these sort of attacks in the future?
Thank you for your time.