The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute force against dovecot

Discussion in 'Security' started by tui, Jun 15, 2015.

  1. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello all,

    In the past days one of my servers has been targeted to a bruteforce attacks against dovecot and the load of my sever rise too much for 1-2 minutes, then it comes down and back to normal for a lot of hours after another attack comes again, I have been monitoring my server in realtime with top and htop in this days and what i find is that when the server load start to rise a lot of this two processes comes to screen:

    /usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply
    cphulkd - processor

    I have cphulk enabled and csf firewall enabled with ct_limits and lf_imapd, lf_cpanel, lf_pop3d, lf_ftpd, lf_smtpauth and lf_eximsyntax enabled but csf does not block any ip when this happen,

    Is there anyway to mitigate this kind of attacks?

    THanks a lot
     
  2. swatkatsdevilz

    Joined:
    Jun 4, 2015
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    the DDOS attack are a pain, I will suggest you to use Cloudflare and then change your server Ip address to prevent your server from getting attacked.
     
  3. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    I use cloudflare but not in all sites (is choice of the final user), is not easy change the server IP, i had all my ip's clean and for years, a ip change should be bad for my clients specially those that use the mail server (too much users).
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    changing your server ip will have no effect brute force is on the respective domains
    csf should be blocking these attacks using below
    LF_SMTPAUTH
    LF_DISTATTACK

    LF_DISTSMTP
    LF_DISTSMTP_UNIQ
    LF_DISTSMTP_PERM
     
  5. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Thanks a lot dalem, those options were off, i already configure them i hope this help on this problem.

    Also i found on apache logs, a lot of this entries of ip's trying to get some default files/folders (that obviously does not exists on server):

    one.domain.on.server GET /filezilla-recupero-password/FileZilla.xml
    one.domain.on.server GET /cmw/FileZilla.xml HTTP/1.1
    other.domain.on.server GET /eagle/FileZilla.xml HTTP/1.1
    another.domain.on.server GET /FileZilla/filezilla.xml HTTP/1.1
    other.domain.on.server GET /download/FileZilla.xml HTTP/1.1
    one.domain.on.server GET /~visionpl/typo/FileZilla.xml HTTP/1.1
    other.domain.on.server GET /dropbox/Apps/softwarecookerbd/FileZilla.xml HTTP/1.1
    domainonserver GET /ViK_baza/arhiv/FileZilla.xml HTTP/1.1
    server.IP1 GET //phpmyadmin1/scripts/setup.php HTTP/1.1
    server.IP2 GET //phpmyadmin1/scripts/setup.php HTTP/1.1
    server.IP2 GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1
    server.hostname GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1
    server.hostname GET //mysql/scripts/setup.php HTTP/1.1
    server.IP2 GET //mysql/scripts/setup.php HTTP/1.1
    server.IP3 GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1
    server.hostname GET //mysql/scripts/setup.php HTTP/1.1
    server.hostname GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1
    server.hostname GET //php-my-admin/scripts/setup.php HTTP/1.1
    server.IP1 GET //mysql/scripts/setup.php HTTP/1.1
    server.IP2 GET //php-my-admin/scripts/setup.php HTTP/1.1
    server.IP3 GET //php-my-admin/scripts/setup.php HTTP/1.1
    server.hostname GET //php-my-admin/scripts/setup.php HTTP/1.1
    server.IP3 GET //mysql/scripts/setup.php HTTP/1.1
    server.IP1 GET //php-my-admin/scripts/setup.php HTTP/1.1

    All those entries come from same ip when logged (different ip's on diferent days), how can i mitigate with this?
     
  6. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Basically they are being blocked with a 404 they are just probing your server for vulnerable scripts
    some of the above you could block with mod security
     
  7. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello dalem, unfortunately the LF_SMTPAUTH, LF_DISTATTACK, LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM options didnt help on the problem, the attacks still with the high load peaks, csf is unable to block those attacks, do you have any suggestion? My CSF settings are following:

    LF_SMTPAUTH=5
    LF_DISTATTACKT=1
    LF_DISTSMTP=5
    LF_DISTSMTP_UNIQ=3
    LF_DISTSMTP_PERM=1

    RESTRICT_SYSLOG=0

    LF_SMTPAUTH=5
    LF_SMTPAUTH_PERM=1
    LF_IMAPD=10
    LF_IMAPD_PERM=1
    LF_POP3D=10
    LF_POP3D_PERM=1

    I have Alerts enabled on those options expecting to receive alerts of ip's being blocked when a attack comes but no alerts of blocked ip's come and no ip's are being blocked, the only ip's that are being blocked are on LF_SMTPAUTH, LF_IMAPD and LF_POP3D but there are not being blocked when a attacks come, only on normal circumstances.

    Thanks
     
  8. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    if you can use the country level blocks to ease the pain

    some of our servers are getting hammered has well with these attacks well for about the past 2 weeks
    But I would assume they must be more powerful as we are absorbing them.
     
  9. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    i also new in this.

    can i use the above setting with one different

    RESTRICT_SYSLOG=3
     
  10. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Lets see how it works with RESTRICT_SYSLOG=3,

    Also im getting a lot bruteforce attacks on CMS's sites like joomla and wordpress for at least the past 2 weeks too
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You may need to consult with a qualified system administrator or your data center for assistance with mitigating the attacks if the basic CSF firewall rules and options are not helping. CSF is helpful, but it won't always prevent any and all attacks. Manual intervention or custom rules are sometimes required.

    Thank you.
     
Loading...

Share This Page