Large amount of crute force attack on Exim

[paulm]

I rebooted a server the other day and noticed it too a long long time to come back up. Come to find out APF had thousands of IP's blocked which have been attempting to login to [email protected] accounts. The odd thing is all of the attempts are to actual domains on the server so they are all valid domains which do reside on the server which are being attacked.

Does anyone know what would cause this or possibly what I may have left open to cause this? I have another server and most attempts are on SSH and are very very limited, nothing like these Exim attacks.

Thanks in advance.

 

[nickp666]

nothing you would have left open would cause this, just looks like you have had some bad luck

 

[NightStorm]

I know this is not exactly an answer to your question, but I would check out Chirpy's Firewall and login detection plugins for WHM/cPanel. It will do everything that APF and BFD will do, but will also make sure that your deny list doesn't get overloaded (you set how many entries you want in the list, and it will purge the oldest entry once that limit is reached).

 

[netlook]

The best of all is to remove domain.com from your named or setup external MX record for this domain, to migrate load.

 

[paulm]

The best of all is to remove domain.com from your named or setup external MX record for this domain, to migrate load.

The thing is it is trying 100's of domains on the server, not and one specific domain. This is how I figured they may be getting a list of the domains on the site somehow.

I will also check out Chirpys firewall, it sounds like that may help with the load issue.