Brute force attack

[hifi_ninja]

Hi,
Im a bit nervous about a brute force attack occurring right now on my server...
(obs. sorry for my broken english)

I received a lot of emails saying:
login failures attempts to account

I checked the cPHulk and found the IP and blocked it using APF firewall
I set the cPHulk with the following:

Configure Settings
IP Based Brute Force Protection Period in minutes: 30
Brute Force Protection Period in minutes: 35
Maximum Failures By Account: 15
Maximum Failures Per IP: 8
Maximum Failures Per IP before IP is blocked for two week period: 20
Extend account lockout time upon additional authentication failures: Y
Send notification when brute force user is detected: Y

But, what's frightening me is that the brute force is trying the exact user names os my clients... How could it know that? Did I got cracked in a way the cracker could know only the real usernames but not the passwords?

Thanks!
Henrique.

[nyjimbo]

Its possible someone who has shell access got hold of the password file, without the actual passwords and is trying to hack that. Years ago we had a customer on a box we that offered shell access on and he went and grabbed the /etc/passwd file, weeks later came back and started to try to hack them with a script. Not sure what he was trying to do but he was doing it. Also its possible a spammer attacked your machine with emails to the servers domain name and found results of real account names (no undeliverable returns) and is trying to hack that.

[Kent Brockman]

Does the usernames of your accounts differ from the domain name their belongs to? i.e: domain: onedomain.com ; username: onedomai

That also gives a bit of help for crackers and should be aware of.

Like Jimbo says, I also seen logged (using Logwatch) login attempts using usernames of email accounts currently being spammed. for such brute force attacks, we are lowering their incidence using the (D)DoS-Deflate script (http://deflate.medialayer.com/)