ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Am I missing something simple here

https://mail.forum.configserver.com/viewtopic.php?t=7661

Page 1 of 1

Am I missing something simple here

Posted: 28 Mar 2014, 12:16
by BillyNoMates
I have noticed a brute force attack on my server

2014-03-27 01:34:02 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:14 courier_login authenticator failed for URLremoved (DATASERV-PC) [98.230.172.199]:22865: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition

the forum will not let me post the URL in the log for some reason
"c-98-230-172-199*hsd1*ga*comcast*net"

There are over 4000 attempts but the IP did not get blocked.
Am I missing a setting as most attacks are stopped within 10 attempts or so.

Thanks

Billy

Re: Am I missing something simple here

Posted: 30 Mar 2014, 22:01
by lfwej
Check this below settings , what is the settings you have?

LF_PERMBLOCK = Default: 1 [0-1]
LF_PERMBLOCK_INTERVAL = Default: 86400 [3600-604800]
LF_PERMBLOCK_COUNT = Default: 4 [1-20]
LF_PERMBLOCK_ALERT = Default: 1 [0-1]

Re: Am I missing something simple here

Posted: 31 Mar 2014, 09:14
by BillyNoMates
hi lfwej,

I have the default settings

LF_PERMBLOCK = 1
LF_PERMBLOCK_INTERVAL =86400
LF_PERMBLOCK_COUNT = 4
LF_PERMBLOCK_ALERT = 1

Re: Am I missing something simple here

Posted: 01 Apr 2014, 11:30
by BillyNoMates
I have a feeling that csf or my server configuration was overwhelmed by this attack.

I am going to put together the list of events that I see in the logs and hopefully someone will be able to shed some light on this so I can prevent this form happening again.

Re: Am I missing something simple here

Posted: 01 Apr 2014, 11:42
by ForumAdmin
Those log lines are not ones that trigger anything in csf as they are not authentication failures as such. The error suggests that the authentication daemon is being flooded with requests and is unable to cope with the number of requests.

Re: Am I missing something simple here

Posted: 01 Apr 2014, 13:11
by BillyNoMates
Thanks For the reply

Yes... that is what I have come to realise. (I'm very new to this)
I tyring to work out how the precess works and how csf stops such attacks.

When I am going through the logs to see what happened I have noticed that there are lots of connections like this (connections reach 100)

Code: Select all

2014-03-27 01:33:39 SMTP connection from [98.230.172.199]:57734 (TCP/IP connection count = 1)
2014-03-27 01:33:47 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:57734 closed by QUIT
2014-03-27 01:33:48 SMTP connection from [127.0.0.1]:35093 (TCP/IP connection count = 1)
2014-03-27 01:33:49 SMTP connection from [98.230.172.199]:45213 (TCP/IP connection count = 2)
2014-03-27 01:33:50 SMTP connection from localhost [127.0.0.1]:35093 closed by QUIT
2014-03-27 01:33:52 SMTP connection from [98.230.172.199]:42769 (TCP/IP connection count = 2)
2014-03-27 01:33:59 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:42769 closed by QUIT
2014-03-27 01:34:00 SMTP connection from [98.230.172.199]:12466 (TCP/IP connection count = 2)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:22865 (TCP/IP connection count = 3)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:57938 (TCP/IP connection count = 4)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:4770 (TCP/IP connection count = 5)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:13254 (TCP/IP connection count = 6)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:53809 (TCP/IP connection count = 7)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:6201 (TCP/IP connection count = 8)
2014-03-27 01:34:01 SMTP connection from [98.230.172.199]:58590 (TCP/IP connection count = 9)
2014-03-27 01:34:02 courier_login authenticator failed for c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213: 435 Unable to authenticate at present (set_id=admin): socket read timed out inside "and{...}" condition
2014-03-27 01:34:03 SMTP connection from c-98-230-172-199*hsd1*ga*comcast*net (DATASERV-PC) [98.230.172.199]:45213 lost
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:18146 (TCP/IP connection count = 9)
2014-03-27 01:34:03 SMTP connection from [98.230.172.199]:2203 (TCP/IP connection count = 10)
Does csf not count each of the connections in the above logs or are they not true connections
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited