Configure the tracking of login failures from distributed IP addresses to a specific application account.
juggernaut --task=lfd:tracking:distributedattack
Option |
Value | Default | Description |
---|---|---|---|
--LF_DISTATTACK |
<1|0> | 0 | Enable the tracking of login failures from distributed IP addresses to a specific application account. If the number of failures matches the application trigger then all of the IP addresses involved in the attack will be blocked. Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, LF_HTACCESS. |
--LF_DISTATTACK_UNIQ |
<2-20> | 2 | The minimum number of unique IP addresses that trigger LF_DISTATTACK. |
--LF_DIST_INTERVAL |
<60-86400> | 300 | The interval in seconds during which a distributed FTP or SMTP attack is measured. |
--LF_DIST_ACTION |
<string> | The path to a script that will run when a distributed FTP or SMTP login event is triggered. | |
--LF_DISTFTP |
<0-20> | 0 | Keep track of successful FTP logins. If the number of successful logins to an individual account is at least LF_DISTFTP in LF_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses then all of the IP addresses will be blocked. To disable this option set to 0. |
--LF_DISTFTP_UNIQ |
<2-20> | 3 | The minimum number of unique IP addresses that trigger LF_DISTFTP. This must be less than or equal to LF_DISTFTP for this to function properly. |
--LF_DISTFTP_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--LF_DISTSMTP |
<0-20> | 0 | Keep track of successful SMTP logins (Postfix only). If the number of successful logins to an individual account is at least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP addresses, then all of the IP addresses will be blocked. To disable this option set to 0. This option can help mitigate the common SMTP account compromise attacks that use a distributed network of zombies to send spam. A sensible setting for this might be 5, depending on how many different IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL. |
--LF_DISTSMTP_UNIQ |
<2-20> | 3 | The minimum number of unique IP addresses that trigger LF_DISTSMTP. This must be less than or equal to LF_DISTSMTP for this to function properly. |
--LF_DISTSMTP_PERM |
<0-604800> | 1 | Enable permanent or temporary blocking (1 = Permanent or any value greater than 1 equal to the number of seconds to temporarily block for). |
--default |
<yes> | Reset all settings to their default values. | |
--default_option |
<option> | Reset a specific setting to its default value. | |
--restart |
<yes> | Restart the service after saving settings. |
// enable LF_DISTATTACK tracking
juggernaut --task=lfd:tracking:distributedattack --LF_DISTATTACK=1 --restart=yes
// reset LF_DISTATTACK_UNIQ back to default
juggernaut --task=lfd:tracking:distributedattack --default_option=LF_DISTATTACK_UNIQ --restart=yes
// reset all settings back to default
juggernaut --task=lfd:tracking:distributedattack --default=yes --restart=yes