The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Large amount of crute force attack on Exim

Discussion in 'General Discussion' started by paulm, Jul 24, 2006.

  1. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
    I rebooted a server the other day and noticed it too a long long time to come back up. Come to find out APF had thousands of IP's blocked which have been attempting to login to username@domain.com accounts. The odd thing is all of the attempts are to actual domains on the server so they are all valid domains which do reside on the server which are being attacked.

    Does anyone know what would cause this or possibly what I may have left open to cause this? I have another server and most attempts are on SSH and are very very limited, nothing like these Exim attacks.

    Thanks in advance.
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    nothing you would have left open would cause this, just looks like you have had some bad luck
     
  3. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I know this is not exactly an answer to your question, but I would check out Chirpy's Firewall and login detection plugins for WHM/cPanel. It will do everything that APF and BFD will do, but will also make sure that your deny list doesn't get overloaded (you set how many entries you want in the list, and it will purge the oldest entry once that limit is reached).
     
  4. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    The best of all is to remove domain.com from your named or setup external MX record for this domain, to migrate load.
     
  5. paulm

    paulm Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6

    The thing is it is trying 100's of domains on the server, not and one specific domain. This is how I figured they may be getting a list of the domains on the site somehow.

    I will also check out Chirpys firewall, it sounds like that may help with the load issue.
     
Loading...

Share This Page