Block login attempts on specific domain

[kjg]

Hi
We get tens of thousands of distributed imap login attempts on a domain that is not on our server. The domain is not pointing to our server in DNS so the attacks seems very strange.

Is it possible to block all attempts to imap logins on a specific domain somehow?

As it is now, we block after x failed login attempts via csf but with tens of thousands of attempts daily this only "rotates" the blocking ips.

Any suggestion would be very much appreciated

 

[dalem]

if the domain does not resolve to your server there is 0% chance they are attacking your server via that domain.

Perhaps you could explain this a bit better?

 

[kjg]

Dalem
Thank you for your reply

I suppose I gave too much info since the part of the domain not pointing to the server in the nameservers really is not the issue

It is how to block login attempts on a certain domain

(For your info, it is no problem at all to try to attack a server with false domain via using IP as address and [email protected] as user or via changing your host file in windows or changin local dns server or ..., but again, the fact that the domain is not on the server is not the issue)

 

[dalem]

as long as your mail ports are open attacks will come
but if its a specific attack like above [email protected]

check out csf regex and one attempt can trigger the block in csf
Custom REGEX rules for CSF. - ConfigServer Community Forum

 

[kjg]

Dalem
Once again, thank you for your help with this issue

Regex seems to be a good idea in order to help blocking from first login attempt instead of blocking as now on X failed login attempt.

Unfortunatly the number of IP's used was very large (tens of thousands of different IP's) so iptables will be too large after a short time if allowing all to be kept blocked for reasonable time.

I was hoping there was a way to block the logins directly without having to add IP to iptables.

Thought about adding the IP to temp block with low time, but that will also probably be a problem when the number of IP's are high.

Will do some tests to see how the server will react when number of temporarily blocke IP's are large.

The attack is over for now but I guess it will come back.

 

[dalem]

We have had similar attacks in the past for our us and our clients.
Ip tables seemed to do ok if I remember correctly the IP tables got up to about 8000-10,000ish.
A dedicated box was able to handle it ( a VPS would struggle ).

Next option would be look at the attack metrics if its the same domain or IP every time they are attacking then disable that IP or Null route it (it would be a bit of a pain switching out)

Last option some of the attacks the IP's came from ISP 1 1000 IPs, ISP2 1000 IP's, etc,
and we just null routed the /24 or in some cases entire /19 them at the router.
This option worked the best. Did not have any trouble as a good chunk of theses ISP's are still Null routed to this day as they are just junk networks. There were some AWS ranges that gave some grief that we had to remove (there is always junk on AWS).

 

[cPanelMichael]

Hello @kjg,

Let us know what you end up doing.

Thanks!