Brute Force attacks trying to login to an email account

tecnotronico

Active Member
Apr 17, 2004
28
1
153
Fellows,

cphulk is detecting a massive attempt to access an email account (around 5 times per second, nonstop) from lots of different IPs.

The attack comes from IPs from neighbour countries, so we have blocked some range of IPs in cpHulk Black List but can´t block all of them. They also use a roundrobin, with only 2 attacks per IP. So those IPs are never blocked by CSF/LFD.

The email account has been deleted from the server, however, the file exim_rejectlog is growing continuously since Dovecot reports “535 Incorrect authentication data” for each login failure.

So, what we think that should be done is to create an iptables rule to reject/drop any connection which could include the string related to the email account (i.e. if the email account is [email protected] we could use the string "accountname"), since the attack just tries to do the login to this particular email account.

We have tried several ways to do this iptables rule but no any of them works:

-I INPUT -m string --string "accountname" --algo bm --to 65535 -j REJECT

-I INPUT -m string --string "accountname" --algo bm -j REJECT

-I INPUT -m string --string "accountname" --algo bm -j DROP

-I INPUT 1 -m string --string "accountname" --algo bm -j REJECT

So, we have no idea how to create this rule ...

Any idea what to do to stop this hammering? ... How could we create the iptable rule to fix this massive attack?

Waitning for your very appreciated support ...
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I'm actually not certain in this type of instance how to block for account name, but you could block on connection attempt within a lower threshold similar to this article on SSH brute force attacks:

Using iptables to rate-limit incoming connections

Is there a reason why the domain itself isn't being blackholed for any access? I would change the DNS for the domain itself since the email account is getting attacked. Unless that is the primary domain for the server, it would be less harmful to the other accounts on the machine to get that domain off of it versus handling a brute force attack.

I would also suggest getting the datacenter or network provider involved. Typically, such attacks could be blocked with higher level tools at the router level over trying to block them once they already reach the server.
 

tecnotronico

Active Member
Apr 17, 2004
28
1
153
Tristan,

Thanks a lot for your answer ... I will read the article to see if I found a solution.

Regarding your other comments about the domain, you are right, we will try to remove it from our server, the only issue is that it belongs to an important customer who manage 300 email accounts under that same domain, so we can´t just block them without a better support.

If I can´t solve it using IPTables I will ask the data center to block the attack outside the server as you say.
 

tecnotronico

Active Member
Apr 17, 2004
28
1
153
Ok Tristan ... I read the article but found nothing to help us on this particular rule.

Does anybody knows how could we see if the "string" module is installed in iptables?

Thanks in advance for any help on this urgent matter ...