The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

distributed smtpauth attacks on account

Discussion in 'E-mail Discussions' started by keat63, Mar 4, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm still learning, so this question may sound stupid.

    How can a potential hacker perform a distributed smtpauth attack on an account that doesn't exist.?

    lfd[27690]: 190.xx.xx.xxx (VE/Venezuela/190-xx-xxx-xx.dyn.dsl.cantv.net), 3 distributed smtpauth attacks on account [doesnt.exists@mydomain.com] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm happy that CSF has blocked his IP.
    I'm just surprised that considering the email account doesn't even exists, that this would even be logged.
    I guess in hindsight that CSF is intercepting this before exim, but it doesn't sort of make sense.

    It's like someone reporting a burglar, who's trying to break into a bank that isn't there.
     
  3. gavcom

    gavcom Member

    Joined:
    Mar 4, 2015
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    An attack is an attack rather look at it this way, the fact the CSF caught it before hitting your server is a good thing means that the attacker is getting now where and will try again but now his just guessing which is what they do mostly hence the term distributed attack because once they find a valid account then the really hacking begins. But seeing that CSF block that IP hell have to use another one and another and another and another. So make sure to set you CSF timeout for blocks to max time and not permanent else your firewall rules will be flooded
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm currently testing with 1500 permanent firewall blocks, which is currently giving about a month before they start to rotate.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Depending on your server, that might be a bit much. There is a warning there near that setting IIRC.
    There are also some new settings for distributed attacks you might not have heard about:
    New csf v7.63 | ConfigServer Services Blog
     

Share This Page