I have CPHulk enabled and sending me emails after 5 failed login attempts. I have whitelisted the main IPs associated with the businesses I host mail for to prevent them from being locked out. I use firewall rules on my Mikrotik router for all my blacklisting and firewall rules. I currently do not allow SSH for the outside network. I usually get about 50 brute force attempts daily and add those to my firewall as I get them. Once in a while, I will get hit with a brute force attempt and it will cause everyone trying to connect to get a password box for about 1 minute. It seems that my server cannot handle the amount of attempts for some brute force attacks. I only allow ports needed to the outside networks, no SSH or WHM. Almost all of the brute force attempts are from out of the country. I know this is normal and do not have a problem with them trying as it gives me notifications of IP addresses to block indefinitely before the traffic even reaches the server. My question is, Is there anything I can do to prevent the server from locking up when I get really bad brute force attempts?
Is this happening on all services, or is it isolated to a service such as POP3?
Thank you.
Just POP3 will lock up as far as I know. I can always log into WHM and CPanel when it happens. Once in a great while IMAP or Clamav will fail and I have to reboot, but that is very rare. I actually just made the CPHulk lock a IP after 4 attempts for a 20 minute and 5 attempts for the 2 week lockout yesterday and the server hasn't locked up yet, but I haven't been getting as many fail login attempts either. This does not happen all the time. It seems that every once in a while for a couple days I will get massive brute force attempts and then I will get the normal amount that doesn't effect anything for a while. I think the last time this happened before the past week was Super Bowl weekend.
I take that back. It just happened again. Sever locked up mail for about 1 minute. After I could send and receive again, I got 8 new IPs to block all brute forcing at the same time.
I take that back. It just happened again. Sever locked up mail for about 1 minute. After I could send and receive again, I got 8 new IPs to block all brute forcing at the same time.
Last edited:
It seems like it's not cPhulk, but rather a mail server limit that's being reached. Check /var/log/maillog for the times when this happens to see if you notice in particular entries. Are you using Courier or Dovecot?
Thank you.
Thank you.
Okay, and honestly, I knew you were going to ask that, but I do not remember what I set it as when I was installing it. I set it for the one that said extremely reliable, but more of a performance hit.
Hello,
You can go to WHM => Service Configuration => Mailserver Selection and it will tell you which version you are currently running.
You can go to WHM => Service Configuration => Mailserver Selection and it will tell you which version you are currently running.
Try using "grep" to see if there are any Input/Output error messages in /var/log/maillog. It's possible there is a lack of available authentication daemons available to accept a username/password. You can try increasing the "Number of Authentication Daemons" in "WHM Home » Service Configuration » Mailserver Configuration".
Thank you.
Thank you.
When it happens it looks like the log has tons of input/output errors and also has errors saying resource temporarily unavailable. I try ur suggestion. Thanks.
Increasing the "Number of Authentication Daemons" value should help with this issue. Let us know the outcome.
Thanks.
Thanks.