The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force attacks trying to login to an email account

Discussion in 'E-mail Discussions' started by tecnotronico, Jul 27, 2011.

  1. tecnotronico

    tecnotronico Active Member

    Joined:
    Apr 17, 2004
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    Fellows,

    cphulk is detecting a massive attempt to access an email account (around 5 times per second, nonstop) from lots of different IPs.

    The attack comes from IPs from neighbour countries, so we have blocked some range of IPs in cpHulk Black List but can´t block all of them. They also use a roundrobin, with only 2 attacks per IP. So those IPs are never blocked by CSF/LFD.

    The email account has been deleted from the server, however, the file exim_rejectlog is growing continuously since Dovecot reports “535 Incorrect authentication data” for each login failure.

    So, what we think that should be done is to create an iptables rule to reject/drop any connection which could include the string related to the email account (i.e. if the email account is accountname@domain.com we could use the string "accountname"), since the attack just tries to do the login to this particular email account.

    We have tried several ways to do this iptables rule but no any of them works:

    -I INPUT -m string --string "accountname" --algo bm --to 65535 -j REJECT

    -I INPUT -m string --string "accountname" --algo bm -j REJECT

    -I INPUT -m string --string "accountname" --algo bm -j DROP

    -I INPUT 1 -m string --string "accountname" --algo bm -j REJECT

    So, we have no idea how to create this rule ...

    Any idea what to do to stop this hammering? ... How could we create the iptable rule to fix this massive attack?

    Waitning for your very appreciated support ...
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I'm actually not certain in this type of instance how to block for account name, but you could block on connection attempt within a lower threshold similar to this article on SSH brute force attacks:

    Using iptables to rate-limit incoming connections

    Is there a reason why the domain itself isn't being blackholed for any access? I would change the DNS for the domain itself since the email account is getting attacked. Unless that is the primary domain for the server, it would be less harmful to the other accounts on the machine to get that domain off of it versus handling a brute force attack.

    I would also suggest getting the datacenter or network provider involved. Typically, such attacks could be blocked with higher level tools at the router level over trying to block them once they already reach the server.
     
  3. tecnotronico

    tecnotronico Active Member

    Joined:
    Apr 17, 2004
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    Tristan,

    Thanks a lot for your answer ... I will read the article to see if I found a solution.

    Regarding your other comments about the domain, you are right, we will try to remove it from our server, the only issue is that it belongs to an important customer who manage 300 email accounts under that same domain, so we can´t just block them without a better support.

    If I can´t solve it using IPTables I will ask the data center to block the attack outside the server as you say.
     
  4. tecnotronico

    tecnotronico Active Member

    Joined:
    Apr 17, 2004
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    3
    Ok Tristan ... I read the article but found nothing to help us on this particular rule.

    Does anybody knows how could we see if the "string" module is installed in iptables?

    Thanks in advance for any help on this urgent matter ...
     
Loading...

Share This Page