The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpHulkd, exim and imap attacks

Discussion in 'Security' started by Asif Nawaz, Aug 7, 2012.

  1. Asif Nawaz

    Asif Nawaz Member

    Joined:
    Jul 30, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London, United Kingdom, United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi Folks,

    We've been having some trouble with brute force attacks, both to the control panel as well as IMAP and EXIM. Here's a sample of what the cphulkd logs show:


    Code:
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=megan blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=michelle blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    
    To put things into perspective, I have about 30,000 entries like this over a few hours, and from a variety of IPs, most of which are banned.

    My only concern is that I keep getting emails from the ChkServd Service Monitor about how imap and exim failed and have been booted 50 times or whatever number of times with a list of the failed getpwnam users from the syslog.

    Do I need to worry about this or shall I just ignore these? I presume this simply happening because of the number of attempts made by the blacklisted IP and the IMAP service can't deal with the load. Is that correct?

    Thanks!
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I would strongly recommend adding CSF/LFD to your server. cPHulk can catch offenders like this but CSF will block them via iptables which keeps them from trying again.

    ConfigServer Security & Firewall

    (it's free)

    Thanks!
     
  3. denny.j

    denny.j Member

    Joined:
    Apr 21, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I would suggest blocking this IP range "67.78." in the DC firewall. Please contact your DC for more help in the matter
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    201
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would not suggest this. For one it's not correct, for another, you'd be blocking many people from the US if it was, and worked.

    This would be correct: 67.78.0.0/15
     
Loading...

Share This Page