The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

High IMAP distributed bruteforce attacks, need some help

Discussion in 'Security' started by Camarao, Sep 10, 2011.

  1. Camarao

    Camarao Member

    Joined:
    Dec 4, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I´ve been searching for some help with the following issue but find nothing yet, so let me explain what I am going through.

    For about one month I am taking bruteforce attacks on my cPanel based IMAP servers to different hosting accounts, each time gets bigger. IMAP servers are crashing.

    The attacks follow exactly these rules:

    - Completely distributed attacks, must be bot infected computer networks - over 1000 IPs attacking the same account.

    - Each IP tried exactly two consecutive connections and takes regular time to retry.

    - Most of the attacks come from my clients' country, I cannot think of a country block.

    First I tried cPhulk, got to a first problem - only two connections is a small number to block.

    Ok, made it block - limited to two connections, IPs blocked - but true clients blocked too.

    My shell developer created a script that reads exim_mainlog based on the email suffering the attack and blocks IPs pretty fast with apf, but the number of IPs attacking is so high (over 1000) that apf gets lost and a deny_rules flush is needed.

    What I did today is to temporarily completely block port 143 (imap) on iptables but clients won´t like it because some clients use imap regularly.

    Attacks are to different domains, different servers, that must be a new wave of attacks that are making other admins crazy like me.

    For now bruteforce was sucessful once and the email account generated a 200 thousand queue of BAD SPAM pretty fast.

    Basic question: Anyone got an effective solution ?

    Thank you very much for reading and all ideas are good :)
     
  2. Camarao

    Camarao Member

    Joined:
    Dec 4, 2007
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello!

    It looks like we found a solution.

    My developer script is 100% this is a copy:
    --------------------------------------------------
    #!/bin/bash


    while :
    do


    tail -n 500 /var/log/exim_mainlog | grep domain.com | awk -F [ '{ print $2 }' | awk '{ print $1 }' | tr -d "]:" | xargs -i apf -d {}


    sleep 5

    done
    --------------------------------------------------

    Where domain is the domain that is taking the attack.

    This script has a 'forever' looping with 5 seconds interval because running it in cron would take too long between each run.

    Important: APF has a rule for limiting deny_rules lines. The trick to solve was to set it to a huge number let´s say 100000 :)

    SET_TRIM="100000"

    Now apf won´t reset :)
     
  3. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If you've installed CSF (ConfigServer Security & Firewall), you can also enable protection for this. Look for this section in the firewall configuration:

     
Loading...

Share This Page