Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Blocking specific emails from Brute Force smtp attempts

Discussion in 'Security' started by willke, Mar 11, 2015.

  1. willke

    willke Well-Known Member

    Joined:
    Mar 30, 2005
    Messages:
    62
    Likes Received:
    3
    Trophy Points:
    158
    Hi,

    Our server is getting hammered by smtp attempts and thanksfully Brute Force and CSF are blocking these OK.

    However, the Brute Force history report shows that 95% of the smtp attempts are repeated hammering to valid email addresses for one specific domain, but we don't actually host the emails. Client manages them elsewhere, we only host the web site.

    I have Brute Force "Duration for Retaining Failed Logins" set to 3600 minutes and currently have 13,000+ lines in the History Report.

    Is there anyway of blocking these by domain, or by email address?

    Ta.

    Will.
     
    #1 willke, Mar 11, 2015
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,888
    Likes Received:
    90
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    There is no way to block it with the domain name OR email ID. If you are getting all attempts from same IP range then you can block whole IP range on your server through CSF
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 24x7server, Mar 11, 2015
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I suggest blocking the IP addresses or IP ranges that are attempting to brute force those email accounts, as you are already doing through CSF. It's not possible to block the attempt itself other than by blocking the IP through a firewall.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Mar 11, 2015
  4. willke

    willke Well-Known Member

    Joined:
    Mar 30, 2005
    Messages:
    62
    Likes Received:
    3
    Trophy Points:
    158
    Thanks for the responses. There's no consistent IP range, so that wouldn't work.

    Is 13,000+ lines in the History Report advisable or is this deemed acceptable?
     
    #4 willke, Mar 11, 2015
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    You can use the "Clear Data For All Reports" option to remove the old data if you prefer. It might make the option load a bit slower if you keep that many reports in the database.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Mar 11, 2015
  6. willke

    willke Well-Known Member

    Joined:
    Mar 30, 2005
    Messages:
    62
    Likes Received:
    3
    Trophy Points:
    158
    Thanks. Is there an optimum number to avoid any server impact?
     
    #6 willke, Mar 11, 2015
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,167
    Likes Received:
    1,933
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    There's no specific value. In general, you shouldn't notice that significant of a difference, even when there are large amounts of entries in the database.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelMichael, Mar 11, 2015
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,030
    Likes Received:
    47
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    What sort of frequency are these ocuuring.
    I have a 1500 LFD capacity in CSF which for me gives about a month before LFD's fall off the end.
    I've distributed smtp authentication attacks in the CSF logs, but i have these set for 3 strikes and your out.

    I'm working on the principal that they got fed up or ran out of proxies and went elsewhere.
     
    #8 keat63, Mar 12, 2015
  9. willke

    willke Well-Known Member

    Joined:
    Mar 30, 2005
    Messages:
    62
    Likes Received:
    3
    Trophy Points:
    158
    I have a Failed Login, as per History Report, every 10 seconds or so.

    I had to clear the log to find this out, as it was so large it wouldn't load the page in WHM.
     
    #9 willke, Mar 12, 2015
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,513
    Likes Received:
    424
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    60 hours of failed logins is a bit much. IIRC, 360 minutes, or 6 hours, is the default. Disable email notifications for them and let CSF show them the door.

    That's what I do anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 Infopro, Mar 12, 2015
    Last edited: Mar 12, 2015
  11. willke

    willke Well-Known Member

    Joined:
    Mar 30, 2005
    Messages:
    62
    Likes Received:
    3
    Trophy Points:
    158
    Thanks, will do :)
     
    #11 willke, Mar 12, 2015
    Last edited by a moderator: Mar 12, 2015
(You must log in or sign up to post here.)
Loading...
Similar Threads - Blocking specific emails
  1. sting01

    Blocking email with Exim4 using the IP

    sting01, Oct 19, 2018, in forum: E-mail Discussion
    Replies:
    2
    Views:
    105
    cPanelLauren
    Oct 23, 2018
  2. Mr_Roboto

    Blocking email and trace route

    Mr_Roboto, Oct 17, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    82
    cPanelLauren
    Oct 22, 2018
  3. Hays Sleiman

    SOLVED CSF Blocking Google DNS + dig Command

    Hays Sleiman, Sep 5, 2018, in forum: Bind/DNS/Nameserver
    Replies:
    7
    Views:
    204
    cPanelLauren
    Sep 7, 2018
  4. Znuff

    Same-domain impersonation increases deferred count, triggering domain-wide blocking

    Znuff, Aug 13, 2018, in forum: E-mail Discussion
    Replies:
    3
    Views:
    182
    cPanelLauren
    Aug 16, 2018
  5. Vipin Haridas

    SpamAssassin not blocking emails with invalid SPF?

    Vipin Haridas, Aug 10, 2018, in forum: E-mail Discussion
    Replies:
    1
    Views:
    243
    cPanelLauren
    Aug 13, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice