Brute Force Attack

bluerayconcepts

• June 24, 2014 16:06

So this morning I starting getting a myriad of email alert fro CSF about blocked IP's. I am use to seeing the IP blocked for yada yada every so often but this morning it started in earnest. CSF is doing its job blocking the IP's after 5 failed attempts but I have never seen this many come in before. Every email is showing the same thing just with different IP and different host name. 2014-06-24 13:29:25 [25199] dovecot_plain authenticator failed for (JAVIER-RRR) [190.147.132.98]:52839 I=[xx.xx.xx.xx]:25: 535 Incorrect authentication data (set_id=richard) 2014-06-24 13:29:31 [25199] dovecot_login authenticator failed for (JAVIER-RRR) [190.147.132.98]:52839 I=[xx.xx.xx.xx]:25: 535 Incorrect authentication data (set_id=richard) 2014-06-24 13:29:38 [25274] dovecot_plain authenticator failed for (JAVIER-RRR) [190.147.132.98]:52896 I=[xx.xx.xx.xx]:25: 535 Incorrect authentication data (set_id=richard@mail.xx.xx) 2014-06-24 13:29:48 [25274] dovecot_login authenticator failed for (JAVIER-RRR) [190.147.132.98]:52896 I=[xx.xx.xx.xx]:25: 535 Incorrect authentication data (set_id=richard@mail.xx.xx) 2014-06-24 13:58:25 [4921] dovecot_plain authenticator failed for (JAVIER-RRR) [190.147.132.98]:63786 I=[xx.xx.xx.xx]:25: 535 Incorrect authentication data (set_id=richard) My question is as this has been going on for the last 4 hours or so, what else should I do at this point.

• 

  quizknows

  • June 24, 2014 22:06

  If your server is otherwise operating as normal, there's not much you can do. Maybe increase the deny IP limit in CSF conf for a while. The attack should go away eventually.

  0
• 

  bluerayconcepts

  • June 24, 2014 22:14

  Looks like it just did finish. Server was fine, no extra load, just lots of denied ip's, more than usual. I called the customer whose id was being used and made sure they were aware of it, and suggested they run malware and virus scan on their computers just as a precaution. I have read lots of info on the brute force botnet style attacks, none of it really says what to do other than what I already have done, so I can at least take comfort in that. I guess I was more curious if there was some authority to submit info to to help them track this kind of stuff down or if it would even be worth it. Thanks

  0
• 

  SS-Maddy

  • June 25, 2014 07:57

  There is nothing more can be done from your side. It could be a compromised machine trying to access the mails.

  0
• 

  cPanelMichael

  • June 25, 2014 12:41

  Hello :) Yes, there's not much you can do to prevent the brute force attempt itself, so blocking the IP addresses is really the main step to take in cases like this. Thank you.

  0

Please sign in to leave a comment.