Blocking specific emails from Brute Force smtp attempts

willke

Well-Known Member
Mar 30, 2005
67
4
158
Hi,

Our server is getting hammered by smtp attempts and thanksfully Brute Force and CSF are blocking these OK.

However, the Brute Force history report shows that 95% of the smtp attempts are repeated hammering to valid email addresses for one specific domain, but we don't actually host the emails. Client manages them elsewhere, we only host the web site.

I have Brute Force "Duration for Retaining Failed Logins" set to 3600 minutes and currently have 13,000+ lines in the History Report.

Is there anyway of blocking these by domain, or by email address?

Ta.

Will.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

There is no way to block it with the domain name OR email ID. If you are getting all attempts from same IP range then you can block whole IP range on your server through CSF
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

I suggest blocking the IP addresses or IP ranges that are attempting to brute force those email accounts, as you are already doing through CSF. It's not possible to block the attempt itself other than by blocking the IP through a firewall.

Thank you.
 

willke

Well-Known Member
Mar 30, 2005
67
4
158
Thanks for the responses. There's no consistent IP range, so that wouldn't work.

Is 13,000+ lines in the History Report advisable or is this deemed acceptable?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
You can use the "Clear Data For All Reports" option to remove the old data if you prefer. It might make the option load a bit slower if you keep that many reports in the database.

Thank you.
 

willke

Well-Known Member
Mar 30, 2005
67
4
158
You can use the "Clear Data For All Reports" option to remove the old data if you prefer. It might make the option load a bit slower if you keep that many reports in the database.

Thank you.
Thanks. Is there an optimum number to avoid any server impact?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
There's no specific value. In general, you shouldn't notice that significant of a difference, even when there are large amounts of entries in the database.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
What sort of frequency are these ocuuring.
I have a 1500 LFD capacity in CSF which for me gives about a month before LFD's fall off the end.
I've distributed smtp authentication attacks in the CSF logs, but i have these set for 3 strikes and your out.

I'm working on the principal that they got fed up or ran out of proxies and went elsewhere.
 

willke

Well-Known Member
Mar 30, 2005
67
4
158
What sort of frequency are these ocuuring.
I have a Failed Login, as per History Report, every 10 seconds or so.

I had to clear the log to find this out, as it was so large it wouldn't load the page in WHM.
 

willke

Well-Known Member
Mar 30, 2005
67
4
158
60 hours of failed logins is a bit much. IIRC, 360 minutes, or 6 hours, is the default. Disable email notifications for them and let CSF show them the door.

That's what I do anyway.
Thanks, will do :)
 
Last edited by a moderator: