IPTables Support

[LampedWeb]

Hi,

I run a server with 37 accounts, CentOS 5.7, WHM 11.30.4 on 512mb RAM, Xen and a few tweaks like SuExec, SuPHP. Running Apache 2.2, PHP 5.3.8, NSD, Dovecot. Bruteforce is set to 10 per IP for 2 week blacklisting. The server is locked down pretty well and I know what I'm doing.

Firstly, the default dovecot auth settings are absurd for a 512mb server - I don't even remember exactly what you set, something like 500 auths per process, 100 processes?

Recently I've been the target of a POP3/IMAP bruteforce attack, where over an hour the attacker makes around 4000 login attempts. I'm not concerned by this. What does concern me is: They leave the connections open too, and before long my server hits the swap... Then it starts killing processes.

I've reduced the dovecot settings repeatedly and am now on 50 auths, 10 processes. This seems to mitigate against the above fairly well.

What we as a cPanel user community need is a more sensible blacklisting system. If someone has thrown 4000 failed login attempts at the server, it should AT LEAST be added to iptables to drop that IP. I'd prefer tarpit, but I don't know (and haven't checked) support for that.

We need two levels of protection:

1. Blacklist and fail all logins after a set number
2. IP tables drop or tarpit after an absurd number of requests from the same IP (100?)

I believe integrated fail2ban would do just fine, though I've been a little too busy to set it up myself.

Say, don't suppose your support staff would setup fail2ban for me?

Thanks

[cPanelTristan]

Is there a reason that cPHulk Brute Force Protection is not able to handle this for you? If the user actually attempts to authenticate, then cPHulk should work under dovecot to blacklist the IP.

Now, if the user simply tries a real DoS where they do not try to authenticate but simply hit the service and freeze up the connections, then cPHulk will not stem that type of attack. It is relatively easy to add firewall rules to stop a set number of connections beyond a certain amount into iptables directly such as the following example:

Code:

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --set --name POP3
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name POP3 -j DROP

You would then do another for IMAP services with the --dport listed as that port number and change the --name portion to IMAP. This would block any new connections that hit the machine more than 8 times in 60 seconds.

[dalem]

csf will ban the IP ConfigServer Security & Firewall

[nightman]

I guess the apf firewall with bfd will do the trick.
DDoS Protection: APF, BFD, DDoS and RootKit Utilities

[Kent Brockman]

CSF works really great blocking abusers. And it's free. Give it a try