Large amount of crute force attack on Exim

paulm

Well-Known Member
Oct 13, 2003
60
0
156
I rebooted a server the other day and noticed it too a long long time to come back up. Come to find out APF had thousands of IP's blocked which have been attempting to login to [email protected] accounts. The odd thing is all of the attempts are to actual domains on the server so they are all valid domains which do reside on the server which are being attacked.

Does anyone know what would cause this or possibly what I may have left open to cause this? I have another server and most attempts are on SSH and are very very limited, nothing like these Exim attacks.

Thanks in advance.
 

NightStorm

Well-Known Member
Jul 28, 2003
286
4
168
cPanel Access Level
Root Administrator
Twitter
I know this is not exactly an answer to your question, but I would check out Chirpy's Firewall and login detection plugins for WHM/cPanel. It will do everything that APF and BFD will do, but will also make sure that your deny list doesn't get overloaded (you set how many entries you want in the list, and it will purge the oldest entry once that limit is reached).
 

netlook

Well-Known Member
Mar 25, 2004
335
0
166
The best of all is to remove domain.com from your named or setup external MX record for this domain, to migrate load.
 

paulm

Well-Known Member
Oct 13, 2003
60
0
156
netlook said:
The best of all is to remove domain.com from your named or setup external MX record for this domain, to migrate load.

The thing is it is trying 100's of domains on the server, not and one specific domain. This is how I figured they may be getting a list of the domains on the site somehow.

I will also check out Chirpys firewall, it sounds like that may help with the load issue.