LFD not automatically blocking ips
Posted: 17 Feb 2014, 13:52
We are receiving hundreds of email notifications similar to the one pasted below.
-----------------------------------------------------------------------------------------------------
5 failed login attempts to account ACCOUNT NAME
(smtp) -- Large number of attempts from this IP: 61.245.163.1
Origin Country: Sri Lanka (LK)
Please use the following links to add to the black list:
Single IP: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.1
/24: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.0/24
/16: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.0.0/16
-----------------------------------------------------------------------------------------------------
They were initially coming from China. We blocked China in ConfigServer Firewall using CC_DENY.
Now they are coming from different countries from different IPs. It is not feasible to block each single IP address we receive a notification about.
The status of Login Failure Daemon (LFD) is RUNNING. However, the var/log/lfd.log file does not contain the ip addresses mentioned in the email notifications. The LFD part of CSF Firewall doesn't seem to be blocking any unwanted activity.
Our config (almost all default) is as below:
LF_DEAMON = 1
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_EMAIL_ALERT = 1
LF_SSHD = 5
LF_SSHD_PERM = 1
LF_FTPD = 10
LF_FTPD_PERM = 1
Please advise if there is anything else that we need to set to automatically block attacker ips.
-----------------------------------------------------------------------------------------------------
5 failed login attempts to account ACCOUNT NAME
(smtp) -- Large number of attempts from this IP: 61.245.163.1
Origin Country: Sri Lanka (LK)
Please use the following links to add to the black list:
Single IP: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.1
/24: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.163.0/24
/16: https://ADDRESS:2087/cgi/bl.cgi?ip=61.245.0.0/16
-----------------------------------------------------------------------------------------------------
They were initially coming from China. We blocked China in ConfigServer Firewall using CC_DENY.
Now they are coming from different countries from different IPs. It is not feasible to block each single IP address we receive a notification about.
The status of Login Failure Daemon (LFD) is RUNNING. However, the var/log/lfd.log file does not contain the ip addresses mentioned in the email notifications. The LFD part of CSF Firewall doesn't seem to be blocking any unwanted activity.
Our config (almost all default) is as below:
LF_DEAMON = 1
LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
LF_SELECT = 0
LF_EMAIL_ALERT = 1
LF_SSHD = 5
LF_SSHD_PERM = 1
LF_FTPD = 10
LF_FTPD_PERM = 1
Please advise if there is anything else that we need to set to automatically block attacker ips.