The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute Force Reports - Question

Discussion in 'General Discussion' started by eglwolf, Apr 17, 2005.

  1. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    I have brute force installed, and there are two-three domains that that are continually having brute force notices due to emails. These domains, should not even being getting emails. So I am not sure how to prevent or stop these things from happening.

    The noticed are as follow (and they happen about 40-50 times per day, per domains, from different IPs)


    OR


    Is there a setting of place in the server I can turn off these domains ability to send and receive emails?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  3. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Jonathon, thanks for the quick response. You are a great source of help on these forums and it does not go un-noticed or under appreicated.

    One question about the Exim Dictionary. I use the clam av/exiscan from cpanelappz (anand) will your Exim dictionary work with this, affect this, or cause any problems with that install?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, no problems with using it at all. Just be sure that it is immediately after the accept hosts = : as described on the page to make sure you dont' waste CPU cycles ;)
     
  5. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    slow/stop attacks?

    Been reading this thread with great interest this morning..

    This copied from my post to forums.spry.com where I host on a VPS with Fedora core & EXIM 4.4

    May 29: As I move more and more sites to the new server the BFD warning notices become more and more frequent.. between 1.30a and 9a I received 25 notices of attacks.. I'm thrilled it finds these and shuts them down.. but is this amount normal?? Is there something more effective to stop these attacks?

    June 4: As an added note this morning I woke to 639 brute force warnings.. All warnings are very obvious dictionary attacks, not SSH attempts. I had removed APF from the server because I was told it would not run on this system, so BFD is not finishing the job of keeping these people out.. I need ideas please..

    I looked at the instructions at:
    http://www.configserver.com/free/eximdeny.html
    and a search of the exim conf file does not find

    Thanks..
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Interestingly rfxn seems to have disabled the exim blocker in the latest BFD ;)

    You really ought to have that file on a cPanel server. If not, I'd suggest resetting the exim configuration back to defaults with:

    cd /etc
    mv exim.conf.local exim.conf.local.old
    /scripts/buildeximconf


    You should also be running exim 4.50 by now. To get that upped, do:

    /scripts/updatenow
    /scripts/eximup


    Then try adding the exim deny ACL as explained on the web page through the Exim Configuration Editor ;)
     
  7. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Johnathan, thanks for the quick reply.. but I dont have that file:

    exim.conf
    exim.conf.buildtest
    exim.conf.dist
    exim.conf.mailman2.dist
    exim.conf.mailman2.exiscan.dist


    I would assume that : exim.conf is what I'm dealing with though, correct? OK Dare devil that I am tried it and yes now it does show:
    So now to add the ACL.. ok done and several test mails sent in both directions.. since no one uses the server fo outgoing thats good.. the only outgoing mails are ones created from fill in forms and they appear to work fine.. I have also been able to pop the box there and have been watching the mail log for problems, I see none.

    Added the symlink now and grep'd but I guess I will have to wait to see what happens..

    Odd thing is.. all these 460 reports overnight.. every one is attmpts at 1 of 2 specific domains.. not one of the 50 others have had an attack at all

    Thanks again for you quick response :D

    Do I still need BFD now?? If not what would be the proper way to remove it? or... brain working.. instead of BDF calling APF, can I tweak it to add the offender to the ipchains?
     
    #7 wkdwich, Jun 4, 2005
    Last edited: Jun 4, 2005
  8. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    :D

    Jonathan,

    just to let you know the ACL is working!!

    THANKS!!
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Great :)

    You do still need BFD for other attacks against the server. you just done't need the following file if it exists:

    /usr/local/bfd/rules/exim
     
  10. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Thanks actually I think I will leave it there, just to keep an eye.. the old server used to get SSH attempts quite regularly -- havent seen one here yet..

    I just looked at the exim-deny file.. I set it to cron.daily instead of hourly.. there are a whopping 185 listings there..

    One thing that sort of bothers me tho.. well a few things.. only 2 domians out of 52 on the server receive these attacks.. that is just odd.. why those 2?? why not the other 50?? The other is BFD is still showing as many as 40 or 50 attempts all from the same IP but the FROM;s are almost all different thereby not really setting off the ACL until the fifth attempt has been made with the same FROM domain.. note the ones marked from "sunclad.net"

    So looking at the above, it is checking the FROM address.. would it not be more efficient if it was and/or checking the IP?

    here is the BDF report that just came in:

     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The exim_deny ACL does check the IP address, not the From: field. It allows for 3 RCPT failures from the same IP address in the same SMTP connection before it is initially blocked and then on it will always block until the IP address is cleared from the /etc/exim_deny file by the cron job.

    As for why some domains and not others - bad luck, or the end user responding to the emails (if only to complain or clicking a "click here to be removed" link) which confirms a real address to the spammers and they get put on their lists.
     
  12. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for all your help.. This AM exim_deny has 571 lines of entries.. I dont think the cron cleaned house last night..

    I have 36 BFD notices in a little over 30 hours.. is this way out of line?? Its better than the 640 I got overnight the other day :)
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Remember that the cron job will only delete entries that have accrued in a rolling interval based on when it runs, so the next time it runs it should delete all entries added before the last time it ran.

    30 hits on BFD (if you've removed the exim check, which you should have done) is a little on the high side, but not necessarily alarming.
     
  14. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Jonathan.. just so I understand.. if I remove the rule you noted above I will no longer get these BDF notices of dictionary attacks? Is that all it will effect? Is there harm in still running it so I can see that things are working as they should be??
    Such as:
    - Log events from /var/log/exim_mainlog:
    2005-06-04 22:58:35 H=(peacefulaction.com) [220.191.28.128] F=<duke@peacefulaction.com> rejected RCPT <meade@smockers.com>: No Such User Here
    2005-06-04 22:58:36 H=(piercedallover.com) [220.191.28.128] F=<tamika@piercedallover.com> rejected RCPT <mccauley@smockers.com>: No Such User Here

    30 hits was the BFD email reports..
    the exim_deny file had 571 lines of IP address in it this morning when I looked at it..
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IMHO it's a very bad idea to use BFD to block exim dictionary attacks into iptables for the reasons I gave in the thread I quoted in an earlier post to this thread - scroll up a bit ;)

    If you're using my ACL, then you're wasting server resources leaving the BFD exim rule in place.
     
  16. wkdwich

    wkdwich Well-Known Member

    Joined:
    Apr 11, 2005
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    BFD is only reporting in this case APF is gone so it is not blockign in that manner.. the ACL is doing its job
     
Loading...

Share This Page