Block login attempts on specific domain

kjg

Well-Known Member
Mar 2, 2004
178
6
168
Hi
We get tens of thousands of distributed imap login attempts on a domain that is not on our server. The domain is not pointing to our server in DNS so the attacks seems very strange.

Is it possible to block all attempts to imap logins on a specific domain somehow?

As it is now, we block after x failed login attempts via csf but with tens of thousands of attempts daily this only "rotates" the blocking ips.

Any suggestion would be very much appreciated
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
159
368
SLC
cPanel Access Level
DataCenter Provider
if the domain does not resolve to your server there is 0% chance they are attacking your server via that domain.

Perhaps you could explain this a bit better?
 

kjg

Well-Known Member
Mar 2, 2004
178
6
168
Dalem
Thank you for your reply

I suppose I gave too much info since the part of the domain not pointing to the server in the nameservers really is not the issue

It is how to block login attempts on a certain domain

(For your info, it is no problem at all to try to attack a server with false domain via using IP as address and [email protected] as user or via changing your host file in windows or changin local dns server or ..., but again, the fact that the domain is not on the server is not the issue)
 

kjg

Well-Known Member
Mar 2, 2004
178
6
168
Dalem
Once again, thank you for your help with this issue

Regex seems to be a good idea in order to help blocking from first login attempt instead of blocking as now on X failed login attempt.

Unfortunatly the number of IP's used was very large (tens of thousands of different IP's) so iptables will be too large after a short time if allowing all to be kept blocked for reasonable time.

I was hoping there was a way to block the logins directly without having to add IP to iptables.

Thought about adding the IP to temp block with low time, but that will also probably be a problem when the number of IP's are high.

Will do some tests to see how the server will react when number of temporarily blocke IP's are large.

The attack is over for now but I guess it will come back.
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
159
368
SLC
cPanel Access Level
DataCenter Provider
We have had similar attacks in the past for our us and our clients.
Ip tables seemed to do ok if I remember correctly the IP tables got up to about 8000-10,000ish.
A dedicated box was able to handle it ( a VPS would struggle ).

Next option would be look at the attack metrics if its the same domain or IP every time they are attacking then disable that IP or Null route it (it would be a bit of a pain switching out)

Last option some of the attacks the IP's came from ISP 1 1000 IPs, ISP2 1000 IP's, etc,
and we just null routed the /24 or in some cases entire /19 them at the router.
This option worked the best. Did not have any trouble as a good chunk of theses ISP's are still Null routed to this day as they are just junk networks. There were some AWS ranges that gave some grief that we had to remove (there is always junk on AWS).
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello @kjg,

Let us know what you end up doing.

Thanks!