Author Topic: LFD POP3 & SMTP attack aren't blocked.  (Read 11925 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
LFD POP3 & SMTP attack aren't blocked.
« on: July 03, 2018, 09:27:44 AM »
With the default csf config the
LF_POP3D = "0"
LF_POP3D_PERM = "0"

So it doesn't block attacks.
Enabling the LF_POP3D = "1" doesn't change anything.
The attack still continue without a ban.

Offline
*
Re: LFD POP3 & SMTP attack aren't blocked.
« Reply #1 on: July 03, 2018, 09:48:49 AM »
Already found a fault in the csf.conf

The log location is wrong:
POP3D_LOG = "/var/log/maillog"
IMAPD_LOG = "/var/log/maillog"

should be
/var/log/dovecot-info.log

The log contains auth failures for pop3 and imap.
But the bans still don't work
« Last Edit: July 03, 2018, 09:55:36 AM by belrpr »

Offline
*
Re: LFD POP3 & SMTP attack aren't blocked.
« Reply #2 on: July 03, 2018, 11:45:58 AM »
you should use the correct configuration from the wiki
http://wiki.centos-webpanel.com/csflfd-firewall-configuration
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: LFD POP3 & SMTP attack aren't blocked.
« Reply #3 on: July 03, 2018, 12:04:21 PM »
Yeah that fixes things.
But why is the default config not correct. It isn't the basic csf config because the regex.custom has some CWP login checks.

Offline
*
Re: LFD POP3 & SMTP attack aren't blocked.
« Reply #4 on: October 21, 2018, 12:42:12 PM »
you should use the correct configuration from the wiki
http://wiki.centos-webpanel.com/csflfd-firewall-configuration

But, in this rule if activated, blocked server http and mail traffic, ssh work ok.

Custom regex for mod security, file /etc/csf/regex.custom.pm :

#mod_security
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {
        my $ip = $4;
        $ip =~ s/^::ffff://;
        if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}
        my $ruleid = "unknown";
        if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
        if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","4","80,443","1")} else {return}
}