Page 1 of 1

CSF not blocking Exim attack

Posted: 19 Sep 2011, 15:18
by mvtimes
Hello all,

I am seeing many failed entry attempts in my "mainlog" for exim. Here is a snippet from that log file:

Code: Select all

2011-09-18 16:48:22 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:24 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:26 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:27 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:29 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:31 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:32 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (ieikedh dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
2011-09-18 16:48:35 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:37 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:39 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:41 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:42 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:44 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:46 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (cvgnpbqn dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
2011-09-18 16:48:49 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:51 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:52 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:54 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:56 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:58 login authenticator failed for 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106]: 535 Incorrect authentication data (set_id=1234)
2011-09-18 16:48:59 SMTP call from 200-161-109-106.dsl.xxx.xxx.xx (rfhszi dot com) [200.161.109.106] dropped: too many nonmail commands (last was "AUTH")
(I had to xxx out the domain name to post the log)

They go on and on, about 8000 attempts. DirectAdmin's Brute Force Monitor notified me of the attack, but CSF didn't seem to do anything at all. I've manually added the IP address, but assume this sort of attack might happen again.

Does CSF keep an eye on the Exim logs? Is there anyway to capture these sort of attacks in the future?

Thank you for your time.

Re: CSF not blocking Exim attack

Posted: 11 May 2012, 15:24
by cits2012
Had the same issue. For me SMTPAUTH_LOG was set to a wrong log file:

/var/log/secure

while it should have been:

/var/log/maillog

(using CentOS+DirectAdmin+CSF)

You can edit this value in csf.conf or in your DirectAdmin firewall admin panel (if you use DA)

Re: CSF not blocking Exim attack

Posted: 29 Dec 2012, 07:21
by pppplus
I change SMTPAUTH_LOG value to /var/log/maillog
But attacks to exim are not blocked.

I have this in Brute Force Directadmin :

Code: Select all

13567372220000	173.11.223.66	admin	1	[b]exim2[/b]	2012-12-29 00:26:09 login authenticator failed for 173-11-223-66-houston.txt.hfc.comcastbusiness.net (SERVER) [173.11.223.66]: 535 Incorrect authentication data (set_id=admin)
1300 times for the same IP

I read some other posts in your forum, but I have always the same problem.
Attacks on exim1 or exim2 are not blocked. I am not sure for dovecot.
All other attacks are blocked.

What are you suggestions ?
Which values do you use to stop exim attacks ?

Thanks for your help