The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable Account Listing

Discussion in 'Security' started by pasayev, Sep 12, 2014.

  1. pasayev

    pasayev Member

    Joined:
    Oct 15, 2013
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I have dedicated server with cpanel and whm installed. I also installed csf firewall. Daily I get many attacks from different countries. But I see that they know all my account names and email addresses which are opened under same account. My question is that how they detect all my accounts under WHM and how they detect account email addresses?

    Thanks for all.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you elaborate on the type of attack that's happening? For instance, what are you seeing that shows you information about your accounts is known?

    Thank you.
     
  3. pasayev

    pasayev Member

    Joined:
    Oct 15, 2013
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Sure. Everytime I see domain name and account of it which is created under my whm. And I also see an email address which is created in this account. They try to send email but fail. I give two of them below:

    Time: Thu Sep 11 21:48:59 2014 +0300
    IP: 185.3.132.128 (SE/Sweden/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    Code:
    2014-09-11 21:48:08 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:1344: 535 Incorrect authentication data (set_id=bakirlar)
    2014-09-11 21:48:15 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:1082: 535 Incorrect authentication data (set_id=bakirlar)
    2014-09-11 21:48:27 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3706: 535 Incorrect authentication data (set_id=bakirlar)
    2014-09-11 21:48:45 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3958: 535 Incorrect authentication data
    2014-09-11 21:48:56 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3709: 535 Incorrect authentication data
    
    bakirlar is under my whm and account is bakirlar. How did he/she detect it?

    Time: Fri Sep 12 01:38:20 2014 +0300
    IP: 77.66.134.82 (RU/Russian Federation/-)
    Failures: 5 (smtpauth)
    Interval: 3600 seconds
    Blocked: Permanent Block

    Log entries:

    Code:
    2014-09-12 01:37:32 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:2872: 535 Incorrect authentication data (set_id=posta@tedkayseri)
    2014-09-12 01:37:39 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:2947: 535 Incorrect authentication data (set_id=posta@tedkayseri)
    2014-09-12 01:37:49 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3135: 535 Incorrect authentication data (set_id=posta@tedkayseri)
    2014-09-12 01:38:06 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3382: 535 Incorrect authentication data
    2014-09-12 01:38:17 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3627: 535 Incorrect authentication data
    tedkayseri. is under my whm. How did he/she detect posta@tedkayseri. is under its account?
     
  4. triantech

    triantech Well-Known Member

    Joined:
    Jul 1, 2014
    Messages:
    145
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Kochi, India, India
    cPanel Access Level:
    Root Administrator
    Hello,

    These are online sites right, the ones that goes live. There are lots of hackers/spammers which use botnets prying on the
    contents which goes live and they are the ones that launch the attack on you and on the email address which are originating
    from them.

    Now looking at your logs, i'm seeing the common name - ylmf-pc. There are many incoming SMTP connections from
    different IP addresses with the same machine name – “ylmf-pc“, im seeing this happen many times. One possibility
    is it could be different machines which are infected with some malware and this malware is utilizing the machine to
    perform brute force password attack to gain authorization.

    One solution is to drop the SMTP connection at HELO so that no further processing is performed :

    Code:
    
    # vi /etc/exim.conf
    
    acl_smtp_helo = acl_smtp_helo
    acl_smtp_helo:
    
    #BEGIN ACL_SMTP_HELO_BLOCK
    
    drop
       condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
       log_message = HELO/EHLO - ylmf-pc blocking against brute-force
       message = Blocked at HELO
    accept
    
    #END ACL_SMTP_HELO_BLOCK
    
    
    Restart exim once this has been done.

    Code:
    
    # service exim restart
    
    
     
  5. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    The problem with this is that cPanel will overwrite the change when updated. It has to be added in WHM.

    I'm also trying to figure out where it goes. cPanel has lots of hackish fixes, where the new code is added in other files (or the WHM GUI), but it's never the same method per service. Documentation is often sketchy.
     
  6. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    add
    to your regex.custom.pm in csf
     
  7. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    No. The idea is to prevent initial access altogether. That means an exim change.

    That CSF regex from sergio is NOT 100% effective. Although the regex is correct, CSF seems to use malformed regex. You need more rules for 100% effectiveness.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should be able to use the "Advanced Editor" in "WHM Home » Service Configuration » Exim Configuration Manager" to ensure the changes are preserved. The following block is found in the advanced editor:

    Thank you.
     
  9. steventay

    steventay Member

    Joined:
    Sep 24, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Singapore
    Hi Michael,

    i am new in this.. i just start using cpanel whm.

    what should i do to block ylmf-pc?

    under the advanced editor as below... what should i enter?

    acl_smtp_helo:
    custom_begin_smtp_helo

    custom_end_smtp_helo
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Browse to the "Advanced Editor" and search for "custom_begin_smtp_helo". Enter the custom code referenced in the previous post and scroll down to select "Save". Note this is a user-submitted solution so it's not supported by cPanel.

    Thank you.
     
  11. albatroz

    albatroz Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    258
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Virtual Orbis / Peru
    cPanel Access Level:
    Root Administrator
    I found this article redy.host/knowledgebase/how-block-ylmf-pc-connections-cpanel-exim

    however I am still having the same issue after applying its suggestions to my current CPanel server, as you can see in the attached picture.
     

    Attached Files:

    #11 albatroz, Oct 26, 2016
    Last edited by a moderator: Oct 26, 2016
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    670
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may want to reach out to a qualified system administrator for help developing custom rules to block the attack if the issue persists and the existing suggestions are unhelpful. You can find a list of system admin services at:

    System Administration Services | cPanel Forums

    Thank you.
     
Loading...

Share This Page