How to prevent host from bruteforce?

A

aboyz

Well-Known Member
Sep 29, 2003
108
0
166
I checked my exim_mainlog and i'm constantly getting this:
Code: 
2018-07-13 13:14:18.693 [16555] SMTP connection from [103.225.140.126]:51134 I=[192.254.130.159]:26 (TCP/IP connection count = 3)
2018-07-13 13:14:18.781 [19770] list matching forced to fail: failed to find host name for 103.225.140.126
2018-07-13 13:14:18.781 [19770] list matching forced to fail: failed to find host name for 103.225.140.126
2018-07-13 13:14:22.462 [19770] dovecot_plain authenticator failed for (10.12.22.73) [103.225.140.126]:51134 I=[192.254.130.159]:26: 535 Incorrect authentication data ([email protected])
2018-07-13 13:14:22.701 [19770] SMTP connection from (10.12.22.73) [103.225.140.126]:51134 I=[192.254.130.159]:26 lost D=4.006s
2018-07-13 13:14:22.701 [19770] no MAIL in SMTP connection from (10.12.22.73) [103.225.140.126]:51134 I=[192.254.130.159]:26 D=4.007s C=EHLO,STARTTLS,EHLO,AUTH
Is there a way to auto detect the IP and add auto block it?

I tried to mess around with the
cPHulk Brute Force Protection

But I don't think its doing much or i'm configuring it wrong. I even add that IP to the blacklist but I still see it in the mail log.

Anyone know the correct way to set this up?
 
Last edited by a moderator:
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
Hi @aboyz

This doesn't look like a brute force though, this looks like an SMTP connection from an IP address with a missing or invalid PTR record.
None the less with the IP listed added to the blacklist it should be blocked. Do you see anything in the cPHulk logs for the IP? They're located at:

Code: 
/usr/local/cpanel/logs/cphulkd.log
/usr/local/cpanel/logs/cphulkd_errors.log
 
A

aboyz

Well-Known Member
Sep 29, 2003
108
0
166
I do see the log in cphulkd.log
[2018-07-15 08:02:10 +0000] info [cPhulkd] Login Blocked: The IP address is blacklisted. [Service]=[dovecot] [Local IP Address]=[192.254.130.158] [Remote IP Address]=[181.214.206.148] [Authentication Database]=[mail] [Username]=[[email protected]]

So its blocking it right? But why do I still see log in the exim_mainlog ? that that IP trying to connect in? should it be no more log?
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,301
363
Houston
Hi @aboyz

The transaction is letting you know the IP address attempted to connect but failed, though the output doesn't do a great job of letting you know why it failed it looks to be unable to connect due to the cPhulk blacklisting. cPhulk can stop the ability to make a connection but it can't stop the attempt at the software level.

Thanks!
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
postcd SOLVED How to prevent all cPanel PHP mail() to be sent from server hostname? Email 8
Rodrigo Gomes Prevent spoofing of "From:" header on shared hosting Email 6
A How do I prevent host lookup failed messages Email 4
J Prevent “nobody” from sending mail in server with smarthost Email 2
O Preventing 127.0.0.1/localhost spamming via exim Email 3
Similar threads
SOLVED How to prevent all cPanel PHP mail() to be sent from server hostname?
Prevent spoofing of "From:" header on shared hosting
How do I prevent host lookup failed messages
Prevent “nobody” from sending mail in server with smarthost
Preventing 127.0.0.1/localhost spamming via exim
Top Bottom