pop3 attack flood
hi friends
I'm getting these kind of attacks
[
with hundreds of attempts being made, in very short time my firewall csf is setting to: LF_POP3D = 10 LF_POP3D_PERM = 1 LF_SMTPAUTH = 5 LF_SMTPAUTH_PERM = 1 Home "Service Configuration "Mailserver Configuration is : Maximum Number of Mail Processes = 512 Maximum IMAP Connections Per IP Address =20 Maximum POP3 Connections per IP Address = 3 Number of Spare Authentication Processes = 2 Maximum Number of Authentication Processes = 50 How can I stop this type of attacks ??
2017-10-26 23:08:58 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51955: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:09:04 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51964: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:09:06 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51971: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:09:08 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51977: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:09:10 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51984: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:09:12 dovecot_login authenticator failed for (example.com.mx) [174.136.26.136]:51985: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:11:57 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34001: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:12:08 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34006: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:12:14 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34029: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:12:19 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34042: 535 Incorrect authentication data (set_id=info@mailXXX.com)
2017-10-26 23:12:25 dovecot_login authenticator failed for (example.in) [203.129.218.76]:34044: 535 Incorrect authentication data (set_id=info@mailXXX.com)
with hundreds of attempts being made, in very short time my firewall csf is setting to: LF_POP3D = 10 LF_POP3D_PERM = 1 LF_SMTPAUTH = 5 LF_SMTPAUTH_PERM = 1 Home "Service Configuration "Mailserver Configuration is : Maximum Number of Mail Processes = 512 Maximum IMAP Connections Per IP Address =20 Maximum POP3 Connections per IP Address = 3 Number of Spare Authentication Processes = 2 Maximum Number of Authentication Processes = 50 How can I stop this type of attacks ??
-
Hello, The best approach to address this issue would be to block the offending IP addresses in your firewall, or ensure that your firewall is automatically blocking the IP addresses. Can you review your CSF Firewall logs to see if it's blocking them? Thank you. 0 -
Hello, Yes, so far the firewall is blocking IPs every day is added between 2000 to 2500 new blocked IPs I see that, the flood connections are made every 4 seconds, is there any option to prevent them from generating connection attempts, every 4 seconds?, if the connection interval is every 10 or 15 seconds, I think it could mitigate the attack 0 -
Hello, I don't believe there are any mail server settings that will help, as nothing will really prevent the connection request itself besides blocking the IP address in your firewall. You could check with the CSF support forums to see if there are any options within CSF that you could alter to help detect the attach more efficiently. Thank you. 0
Please sign in to leave a comment.
Comments
3 comments