CSF not blocking brute-Force attacks on exim2

1 post Page 1 of 1
hendr1x
Junior Member
Posts: 1
Joined: 07 Jul 2018, 16:19


Hello everyone,
I have been fighting this issue for a long time, I swear I've spent at least 6+ hours trying to fix it/reading other peoples attempts and I can't figure out what is wrong.

To start, I am getting notifications constantly from directadmin stating...
Code: Select all
A brute force attack has been detected in one of your service logs. IP XXX,XXX,XXX,XXX has X failed login attempts: exim2=100
CSF/LFD is setup and running on my Centos 6 dedicated server and is successfully blocking other attacks.

Here are the settings I believe apply to this situation :
Code: Select all
SMTP_BLOCK = "0"
SMTP_ALLOWLOCAL = "1"
SMTP_REDIRECT = "0"
SMTP_PORTS = "25,465,587"
SMTP_ALLOWUSER = ""
SMTP_ALLOWGROUP = "mail,mailman"
SMTPAUTH_RESTRICT = "0"
LF_SMTPAUTH = "5"
LF_SMTPAUTH_PERM = "1800"
LF_EXIMSYNTAX = "10"
LF_EXIMSYNTAX_PERM = "1"

SMTPAUTH_LOG = "/var/log/exim/mainlog"
I also tried the following
Code: Select all
SMTPAUTH_LOG = "/var/log/exim/rejectlog"
Both log files above exist and are populated, here is a sample line from maillog
Code: Select all
2018-06-11 05:31:09 login authenticator failed for (User) [XXX.XXX.XXX.XXX]: 535 Incorrect authentication data (set_id=smtp@removed.com)
I've tried tons of different settings/tweaks restarting both csf + lfd each time. I'm clueless on why this isn't working. I would really appreciate any help as right now I am getting tons of emails every week and I am having to manually add ip addresses to ip.deny

Thanks for any help you can provide.
1 post Page 1 of 1