Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cpHulkd, exim and imap attacks

Discussion in 'Security' started by Asif Nawaz, Aug 7, 2012.

  1. Asif Nawaz

    Asif Nawaz Member

    Joined:
    Jul 30, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London, United Kingdom, United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi Folks,

    We've been having some trouble with brute force attacks, both to the control panel as well as IMAP and EXIM. Here's a sample of what the cphulkd logs show:


    Code:
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=megan blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:26 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=michelle blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=max blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    Tue Aug  7 14:37:27 2012 [info] Connection service=system ip=67.78.222.238 port= user=ron blocked by cphulkd (IP Address is blacklisted matched 67.78.0.0/16)
    
    To put things into perspective, I have about 30,000 entries like this over a few hours, and from a variety of IPs, most of which are banned.

    My only concern is that I keep getting emails from the ChkServd Service Monitor about how imap and exim failed and have been booted 50 times or whatever number of times with a list of the failed getpwnam users from the syslog.

    Do I need to worry about this or shall I just ignore these? I presume this simply happening because of the number of attempts made by the blacklisted IP and the IMAP service can't deal with the load. Is that correct?

    Thanks!
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    751
    Likes Received:
    11
    Trophy Points:
    143
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I would strongly recommend adding CSF/LFD to your server. cPHulk can catch offenders like this but CSF will block them via iptables which keeps them from trying again.

    ConfigServer Security & Firewall

    (it's free)

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. denny.j

    denny.j Member

    Joined:
    Apr 21, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    I would suggest blocking this IP range "67.78." in the DC firewall. Please contact your DC for more help in the matter
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would not suggest this. For one it's not correct, for another, you'd be blocking many people from the US if it was, and worked.

    This would be correct: 67.78.0.0/15
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice