cpHulk Blacklisting all countries

[sahostking]

We are getting many SMTP brute force attacks which causes load on our servers. Now we use many firewall besides not only a hardware firewall infront of servers but also bitninja / CSF.

However it does not seem to be working too well as they still get through with distributed attacks to those customers that have weak passwords I assume. We set the password strength from default to 90 now and informed many customers to make stronger passwords however we believe it will take time for these customers if not all to perform this task or even if they consider doing so.

We are testing currently the following and would like to hear thoughts on this.

Enabled CSF and blacklisted all countries except our country we are in aswell as not those many of our subscribers are from. However all others we blacklisted.

Thoughts on this? Any massive performance impact and is this a good strategy or is there an better alternative?

Thanks

 

[keat63]

I have a setting in CSF that will only allow log in to email from a selected few countries.

in CC_ALLOW_PORTS I have the country codes for the countries that I allow


then




CC_ALLOW_PORTS_TCP = 110,143,465,587,993,995,2082,2083,220,465,995,587,

All listed ports should be removed from TCP_IN/UDP_IN to block access from
elsewhere. This option uses the same format as TCP_IN/UDP_IN

An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
then only countries listed in CC_ALLOW_PORTS can access FTP

 

[sahostking]

I decided to rather not block anything but rather improve sensitivity of hits on firewall. Seems to be working using distributed attack protection.

 

[keat63]

My server is dedicated to our business, I don't host any guest or customer accounts, just our own users.
All my email users are based in one office using MS Outook, and a few have email configured on their mobile devices.
No one needs to ever manually input their passwords, so my users don't even know their own passwords.

I also have a CSF rule that says, 1 failed password authentication and the IP is locked out.

So not only can you not gain access from other than 3 countries, fail once and you're locked out

Very strict, maybe over kill but seems to work well.

 

[cPanelLauren]

Having a firewall or multiple installed does not mean you will adequately defend against distributed attacks. If you're undergoing attacks such as this, the solution is to implement protection specifically for this, which based on your last response it seems that you did. What did you enable so that it might help others?

 

[sahostking]

Used CSF and adjusted the following values:

LF_DISTATTACK =
LF_DISTATTACK_UNIQ =
LF_DISTFTP =
LF_DISTFTP_UNIQ =
LF_DISTSMTP =
LF_DISTSMTP_UNIQ =


works quite nicely.