Page 1 of 1

Stop Distributed attack emails

Posted: 02 May 2022, 21:24
by bwatsonfc
We've been getting a large number of distributed attack emails and no option I have disabled alerts for has stopped the emails. Is there any way to stop these? Some of the alerts we're getting

Time: Mon May 2 15:11:40 2022 -0500
IP: distributed imapd attack on account [redacted@redacted.com]
Failures: 10
Interval: 3600 seconds
Blocked: Permanent Block [LF_DISTATTACK]

Time: Mon May 2 15:05:12 2022 -0500
IP: distributed smtpauth attack on account [redacted]
Failures: 5
Interval: 3600 seconds
Blocked: Permanent Block [LF_DISTATTACK]

Time: Mon May 2 14:53:42 2022 -0500
IP: 107.115.206.2 (US/United States/-)
Failures: 10 (imapd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_IMAPD]

I have set the following to Off

LOGFLOOD_ALERT
LF_PERMBLOCK_ALERT
LF_DISTFTP_ALERT
LF_DISTSMTP_ALERT
LT_EMAIL_ALERT
CT_EMAIL_ALERT
PS_EMAIL_ALERT
PORTKNOCKING_ALERT

Re: Stop Distributed attack emails

Posted: 02 May 2022, 21:34
by ForumAdmin
Those emails are controlled by LF_EMAIL_ALERT

Re: Stop Distributed attack emails

Posted: 03 May 2022, 20:58
by bwatsonfc
I was under the impression that would stop all login emails, including WHM/SSH, but it appears to have stopped the attack emails and did not prevent the WHM/SSH emails which is what we were wanting. Thank you very much.

Re: Stop Distributed attack emails

Posted: 23 Jun 2022, 18:25
by rbairwell
We're getting a high number of these as well, and I've enabled SMTPAUTH_RESTRICT and listed GB in CC_ALLOW_SMTPAUTH (I've also made the necessary changes to Exim as detailed in https://download.configserver.com/csf/readme.txt at " 25. Exim SMTP AUTH Restriction ".

Exim now verifies the IP address is in /etc/exim.smtpauth before allowing SMTPAUTH : however, with just the Maxmind country database enabled and only "GB,US" listed as allowed countries, that file is 155.972 lines long and CSF did take a while to restart (about 4 minutes)..

Re: Stop Distributed attack emails

Posted: 11 Jul 2022, 06:27
by salali-webhosting
Hi!
We have disabled the following options in the CSF configuration, but still, emails from Mailer-Daemon@hostname.com are sent and filling the queue. Please guide me in this matter.
LOGFLOOD_ALERT
LF_PERMBLOCK_ALERT
LF_DISTFTP_ALERT
LF_DISTSMTP_ALERT
LT_EMAIL_ALERT
CT_EMAIL_ALERT
PT_USERMEM
PT_USERTIME
PS_EMAIL_ALERT
PORTKNOCKING_ALERT
LF_EMAIL_ALERT
Thank you.

Re: Stop Distributed attack emails

Posted: 18 Jul 2022, 07:35
by nibb
Email notifications work fine for small volumes but since there is no summary you will get one per each block instead of just one email with all the blocks in a giving time. Not even sure if that is preferable.

Technically it's better to use something else but for reports, but this is out of the scope of CSF as it would need to hold things in a database in order to email alerts with a summary of all blocks making it to resource intensive, I prefer it to be as simple as possible, this is why I actually researched the block_report feature which allows you to trigger something else (your choice) to how you want to log or be alerted which is nice but for my surprise this only works for LFD and not CSF, this means there is really no way to alert things to a local log file or database, or another system and emails seems to be the most reliable option.

Other iptables firewall based scripts certainly allow this. Another option would be to tail the CSF and LFD log with your own logger which is probably a bit more complicated for most setups.

My suggestion is to set up a dedicated email account just for CSF notifications since it will get flooded really quickly. Getting 300 emails per each CSF installation is not really manageable.

Personally I like to get the emails, it allows you to quickly discover when there is a specific attack or abuse.

Re: Stop Distributed attack emails

Posted: 21 Jul 2022, 18:58
by Sergio
On the email account that you are receiving those warnings, create an email filter to delete them.

- Enter into the email webmail that is receiving the emails.
- Go to EMAIL FILTERS.
- Add a new filter and write a name like "DELETE LFD BLOCKS" and add the following lines:
NOTE: Be careful that each line is set to AND
FROM CONTAINS:
root@yourserver.tld AND

SUBJECT CONTAINS:
SERVERNAME: blocked AND

BODY MATCHES REGEX:
\[(LF_DISTATTACK|LF_SMTPAUTH)\] AND

BODY DOES NOT MATCH:
\((GB|US)\/

ACTIONS
Discard Message
Save the filter and from now on, you will not receive that ones any more but you will still receive emails from the Countries that are your customers.

Basically the idea is to delete all the garbage and keep an eye on the Countries that your customers are in.


Sergio