Brute Force

[jeck]

One particular email account on my server is being brute force attacked for several days now ... It just doesn't stop ...

cPHulk is showing all the failed logins, some ip's are being blocked;
Have manually blocked some ip's via iptables;
Have installed csf and lfd that is also blocking some ip's.

The problem is that in a period of 5 minutes there are hundreds of different ip's trying to login to this mail account, the majority aren't even blocked because they only make 1 or 2 attemps and then change ...

Any suggestions? How can I stop it?
Thank you!

[Infopro]

I know this is not what you want to hear, but killing the account might be one way to go.

[jeck]

Definitely not what I wanted to hear

You think it's possible to block all Ip's trying to login to this mail account and only allow the user IP (without affecting other users and accounts)?

I'll try to kill temporarily the account during night, to see if they change their mind and stop.

Thank you Infopro!

[ramprage]

ConfigServer Security & Firewall

[cPanelDon]

One particular email account on my server is being brute force attacked for several days now ... It just doesn't stop ...

The problem is that in a period of 5 minutes there are hundreds of different ip's trying to login to this mail account, the majority aren't even blocked because they only make 1 or 2 attemps and then change ...

Any suggestions? How can I stop it?

Use of firewall, such as what ramprage suggested, may help to further protect the server by blocking access attempts at an earlier stage before they can reach the daemons involved. If the IP changes frequently or is not in a blacklist (such as what some iptables wrapper scripts offer like CSF and APF) then other measures would need to be taken as described below.

Making good use of available security features is an excellent way to reduce the likelihood of issues occurring. In addition to using cPHulk, I recommend ensuring that all users are able to set only complex passwords, such as an alphanumeric password, with special characters, and varying the use of uppercase and lowercase letters; an easy way to ensure users must set more complex passwords is to set a default minimum password strength via the Security Center in WHM, as seen below:
WHM: Main >> Security >> Security Center >> Password Strength Configuration
Documentation: Define a Minimum Password Strength < AllDocumentation/WHMDocs < TWiki

I would also consider using SSH keys for authentication when accessing SSH and disable password authentication; this may be setup via WHM at the following menu path:
WHM: Main >> Security >> Security Center >> SSH Password Auth Tweak
Documentation: Tweak SSH Authentication < AllDocumentation/WHMDocs < TWiki

If disabling password authentication, please ensure to have an SSH key created so that SSH access can still be used:

For root:
WHM: Main >> Security >> Manage SSH Keys
Documentation: Manage SSH Keys < AllDocumentation/WHMDocs < TWiki

For resellers and end-users:
cPanel: Security >> SSH/Shell Access >> Manage SSH Keys
Documentation: SSH/Shell Access < AllDocumentation/CpanelDocs < TWiki