Request a different interval for LF_DISTSMTP
Posted: 03 Oct 2012, 11:01
HI, I'd like to suggest that while using a single LF_INTERVAL is ok for most login failure checking, it might be neccesary for the distributed SMTP checking to have a shorter interval.
In order to tighten things up recently we've had to increase LF_INTERVAL to block IP's over a longer period of time, as the trend from spammers seems to be to re-use the same IP's less frequently, to avoid these detection methods. Gone are the days when they would just keep trying with the same IP in a short space of time. In the past we would set LF_INTERVAL to 5 minutes and set the LF_TRIGGER to 20, because the spammers were just submitting a constant stream of login attempts. They don't do that anymore - they are spreading the attacks over a much longer period of time, using the same IP only a handful of times before switching to a different one. It makes sense that they would do this now that pretty much everyone is using CSF/LFD. Spammers are easily able to get around LFD now because they've worked out that most people use a fairly short LF_INTERVAL.
So we've had to greatly increase the LF_INTERVAL and reduce the LF_TRIGGER and have blocked more than 27,000 IP's in the last 9 weeks, yet we still see email accounts getting compromised almost every day. It may be that we are an extreme case - we are certainly being targetted and have been for several months now. Increasing LF_TRIGGER to a much longer interval has been the only answer.
Anyway....
As LF_DISTSMTP is not actually a login failure check, its a successful login check, the timescale needs to be shorter. So for example, we might want to set LF_DISTSMTP to a minimum of 10 successful logins from 4 different IP's within 5 minutes because that's currently how botnets tend to behave once they have compromised an account. Unfortunately we are restricted to the same LF_INTERVAL used for other LF checks which now require a much longer interval.
So after all that waffle - what I'm asking for is the ability to configure an independent interval for LF_DISTSMTP.
In order to tighten things up recently we've had to increase LF_INTERVAL to block IP's over a longer period of time, as the trend from spammers seems to be to re-use the same IP's less frequently, to avoid these detection methods. Gone are the days when they would just keep trying with the same IP in a short space of time. In the past we would set LF_INTERVAL to 5 minutes and set the LF_TRIGGER to 20, because the spammers were just submitting a constant stream of login attempts. They don't do that anymore - they are spreading the attacks over a much longer period of time, using the same IP only a handful of times before switching to a different one. It makes sense that they would do this now that pretty much everyone is using CSF/LFD. Spammers are easily able to get around LFD now because they've worked out that most people use a fairly short LF_INTERVAL.
So we've had to greatly increase the LF_INTERVAL and reduce the LF_TRIGGER and have blocked more than 27,000 IP's in the last 9 weeks, yet we still see email accounts getting compromised almost every day. It may be that we are an extreme case - we are certainly being targetted and have been for several months now. Increasing LF_TRIGGER to a much longer interval has been the only answer.
Anyway....
As LF_DISTSMTP is not actually a login failure check, its a successful login check, the timescale needs to be shorter. So for example, we might want to set LF_DISTSMTP to a minimum of 10 successful logins from 4 different IP's within 5 minutes because that's currently how botnets tend to behave once they have compromised an account. Unfortunately we are restricted to the same LF_INTERVAL used for other LF checks which now require a much longer interval.
So after all that waffle - what I'm asking for is the ability to configure an independent interval for LF_DISTSMTP.