Anonymous
×
Create a new article
Write your page title here:
We currently have 12 articles on NixSec. Type your article name above or click on one of the titles below and start writing!



    NixSec


    Email hackers are a bigger problem then most web or ssh brute forcers, somehow email is the most interesting and hackers do anything to evade bans, from adjusting their brute force rate and coming from thousands of different IP's making it impossible to ban with normal CSF settings.

    Here is a small script you can add that will start and reload with CSF and ban them dynamically. This way your iptables will stay clean and you can always clear the ban list as the mechanism will always do it's job.


    /etc/csf/csfpre.sh

    #!/bin/bash
    
    ps aux | grep csfexim | awk '{print $2}' | xargs kill -9 >/dev/null 2>&1
    /etc/csf/csfexim.sh >/dev/null 2>&1 &
    
    


    /etc/csf/csfexim.sh

    #!/bin/bash
    #
    # Exim block script for CSF
    #
    
    
    # Stream the logfile
    tail -fn0 /var/log/exim/rejectlog | \
    while read line ; do
            # Grep for authentication failure
            blocktime="3600"
            echo "$line" | grep "Incorrect authentication data"
            if [ $? = 0 ]
            then
            # Grep the ip address
            ip=`echo $line | egrep -o ' \[[0-9\.]+\]' | cut -d"[" -f 2 | cut -d "]" -f1`
            # Block in CSF
            csf -td $ip $blocktime -d inout "(Exim failed login) Login failure/trigger from $ip after 1 failed login"
            fi
    done