Again BruteForce alerts!

andR00

Registered
Mar 22, 2006
1
0
151
I have recently started to get a lot of email warnings coming from my server. Obviously these are hacking attempts, but as a newbie, how should I treat this warning, please?

Any ideas are greatly appreciated!

The remote system 222.136.4.42 was found to have exceeded acceptable login
failures on biz.sky-dns.com; there was 51 events to the service exim. As such the
attacking host has been banned from further accessing this system. For the
integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/etc/apf/apf -d 222.136.4.42 {bfd.exim}

The following are event logs from 222.136.4.42 on service exim (all time stamps
are GMT +0200):

2006-03-22 13:02:50 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No Such
User Here
2006-03-22 13:02:50 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No
Such User Here
2006-03-22 13:02:51 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No Such
User Here
2006-03-22 13:02:52 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No
Such User Here
2006-03-22 13:02:53 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No
Such User Here
2006-03-22 13:02:55 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No Such
User Here
2006-03-22 13:02:56 H=(bellsouth.net) [222.136.4.42]
F=<[email protected]> rejected RCPT <[email protected]>: No
Such User Here
........
........
........
 

haze

Well-Known Member
Dec 21, 2001
1,548
3
318
They aren't hacking attempts, they look more like dictionary mail attacks. I wouldn't worry to much about it, just let BFD do it's thing.

FYI, BFD is not cPanel software, it's actually developed by Ryan over at rfxnetworks.com. You may find better results posting to the forums if you have troubles with understanding the workings of his software.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,448
31
473
Go on, have a guess
I would also advise against allowing BFD to block dictionary attacks as it can very quickly render your server unresponsive and unbootable. Much better to use an exim ACL to drop such connections.