dBFA

turbo2ltr

Member
Ok, I might have just made that up, but for the past two days I've been experiencing a distributed brute force attack.

Yeah sure I get messages from cphulk once in a while like:
Code:
5 failed login attempts to account thompson (system) -- Large number of attempts from this IP: 98.189.122.23

Things really quieted down when I blacklisted all domain blocks assigned to china. But normally I'll just BL the offending IP for the few that come in.

But the past two days, I've been getting these non stop. I've gotten about 60 in the past 36 hours.

I noticed thatc cphulk was not doing what I was expecting it to do and searching online it seems no one really knows how it works.
I had it set to blacklist for 1 hour if failed logins exceeded 7. Then had "ban 2 weeks if exceeded 10". But I was getting messages like the above, from the same IP every couple hours. So it clearly was not banning two weeks despite wrong logins exceeding 14.

I increased the first ban to 1 day and reduced the threshold to 5 failed logins and that slowed down the same-ip offenders. But new IPs are popping up and they are from all over the globe. And it seems they are using the same list of names for usernames.

But I didn't know what "system" meant. After a lot of digging, I found entries in the exim log like this:

Code:
./exim_rejectlog:2012-12-11 05:51:17 courier_login authenticator failed for ([192.168.2.33]) [50.121.152.110]:1848: 535 Incorrect authentication data (set_id=pearl)

As a side note, I have no idea where the 192.168.2.33 comes from...it's always set to that no matter what IP follows.

Anyway so I assume they are trying to authenticate into SMTP..

Any ideas on dealing with this? Do I just let itself putter out? About 80% of the notices I get are from different IPs so blacklisting won't do much.

Thanks,
Mike
 
Hi turbo2ltr,

Do you run CSF? I've been using it on my VPS for years now (I actually disable cphulk) and it blocks things like this daily automatically. I'd highly recommend it if you aren't.
 
Top