Hello
For the past week one of my servers has been suffering from distributed smtpauth attacks at an incredible rate.
I have CSF blocking the attacks but since its been going on for a week solid i was hoping someone here would have a way of helpimg me stop or at least limit these attacks.
I have increased the banned IP's in CSF from 100 to 200 and it seemed to have stopped the attacks for almost a day although server load was higher than usual.
Now the attacks are back at a rate never seen before and IP's are getting unblocked just as fast as they get blocked so anyone attacking with 200 ips or more can just rotate the attacks through.
When i increase the banned IPs to 400 server load just gets too high it seems.
Does anyone have any ideas?
I have pasted one of the emails CSF sends when blocking below in the hopes someone may see a simple solution looking at this.
Thank you!
Harold
For the past week one of my servers has been suffering from distributed smtpauth attacks at an incredible rate.
I have CSF blocking the attacks but since its been going on for a week solid i was hoping someone here would have a way of helpimg me stop or at least limit these attacks.
I have increased the banned IP's in CSF from 100 to 200 and it seemed to have stopped the attacks for almost a day although server load was higher than usual.
Now the attacks are back at a rate never seen before and IP's are getting unblocked just as fast as they get blocked so anyone attacking with 200 ips or more can just rotate the attacks through.
When i increase the banned IPs to 400 server load just gets too high it seems.
Does anyone have any ideas?
I have pasted one of the emails CSF sends when blocking below in the hopes someone may see a simple solution looking at this.
Thank you!
Harold
Code:
Time: Tue Feb 11 16:31:53 2014 -0500
IP: distributed smtpauth attack on account [[email protected]]
Failures: 5
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
2014-02-11 16:27:22 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:06 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:07 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data ([email protected])
2014-02-11 16:31:48 courier_plain authenticator failed for (WIN712340928SRZ) [178.16.3.131]:58024: 535 Incorrect authentication data ([email protected])
2014-02-11 16:27:22 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data ([email protected])
IP Addresses Blocked:
190.101.76.131 (CL/Chile/pc-131-76-101-190.cm.vtr.net)
178.16.3.131 (IM/Isle of Man/adsl178.16.3.131.manx.net)
Last edited by a moderator:
