additions to CSF LFD custom regex #1
Description
in /var/log/dovecot.log
2023-06-07 22:40:53 auth: Info: passwd-file(abuse@somedomain.com,154.127.86.66): unknown user
2023-06-07 22:41:00 auth: Info: passwd-file(abuse@somedomain.com,185.247.64.171): unknown user
in /var/log/exim4/rejectlog
2023-06-07 22:41:04 dovecot_login authenticator failed for ([185.247.64.172]) [185.247.64.171]: 535 Incorrect authentication data (set_id=abuse@somedomain.com)
2023-06-07 22:41:06 dovecot_login authenticator failed for ([5.32.22.218]) [5.32.22.218]: 535 Incorrect authentication data (set_id=abuse@somedomain.com)
2023-06-07 22:41:09 dovecot_login authenticator failed for (localhost) [46.148.40.148]: 535 Incorrect authentication data (set_id=s68)
2023-06-07 22:41:09 dovecot_login authenticator failed for ([220.162.202.86]) [220.162.202.86]: 535 Incorrect authentication data (set_id=abuse@somedomain.com)
The unknown user ones for dovecot can be csf -d IP-blocked immediately, as far as I'm concerned, The rejectlog ones as well.
There's no proper way to fight bought bot-net attacks otherwise. Especially on servers with users that are long time users, there's not going to be an issue banning at once.