Today our server was the target of a dictionary attack from a bot in Vietnam. Our csf/lfd install was up to the job, and swatted every attempt to login (see http://www.kpdirection.com/technology/using-csf-and-lfd/ for details of how we do that).
The downside was that we were receiving a continuous stream of emails from lfd telling us that we were under attack – at a rate of almost 400 emails per hour. Obviously the workload of blocking the attack and sending the confirmation emails to me were having an effect on the responsiveness of our server, so I wanted to block the attack at a higher level – before csf/lfd even got to know about it.
The subject of the emails we received gave us the IP address of the attacker, and told us that they were in Vietnam
Subject: lfd on kpdirection: blocked 220.127.116.11 (VN/Viet Nam/18.104.22.168-static)
If we were interested, we could use infosniper to further isolate the attacker to Hi Chi Minh City, but as we’re not going to knock on any doors, we didn’t (OK, we did… but we’re doing nothing else about it).
However, we needed to stop the emails coming through – by stopping the attack. In this case, it was as simple as configuring iptables to reject the attacking IP address, using the following command;
iptables -A INPUT -s 22.214.171.124 -j DROP
et voila, no more emails from csf/lfd about this particular IP address. All other notifications still come through as desired, because we didn’t change the configuration of csf/lfd. If you want to try this technique out, feel free to use the IP address 126.96.36.199 – it really *IS* a hacker.