LFD attack SMTPAuth

[Gauravk]

Hi Guys,

Since yesterday every now and then i am receiving Login Failure emails. So far 184 attack recorded in less than 12 hours. It's fully randomize as every time i see new country IP and no pattern on timing have been identified yet.

To be on safe side, i have reduce the 5 wrong login attempt to 1 (I know I have to be very careful logging in now). Is there anything else I can do to improve the security of my server.

I have standard CSF installed as well and its blocking such IP successfully. 95% of attack are on smtpauth, is there any way i can change the webmail link to something else? Please advise how. Thanks.

 

[Gauravk]

Guys please help, attack still ongoing.

How can I disable webmail completely as none of my domain uses webmail at all.

 

[Infopro]

Disabling Webmail won't help. Your firewall is doing its job. Make sure all email accounts, like, [email protected] anydomain.com are using very strong passwords. And be sure to whitelist your own account to bypass all checks so you don't get locked out.

 

[Gauravk]

Thanks infopro, I removed these two 2095,2096 ports from CSF to stop the LFD attack thru webmail. Looks like it worked.

http://forums.cpanel.net/f5/completely-remove-webmail-access-361351.html

- - - Updated - - -

I was wrong and it didn't worked and then I got to remove port 25 and 587 as well to stop this attack. I am just worried about the server safety and continuity and not only of emails. Hope this it....!

 

[Gauravk]

Now new stuff started happening:
5 failed login attempts to account XXXXXXXXXXXX (system) -- Large number of attempts from this IP: 36.250.229.35 Origin Country: China (CN)

How can i block all country except my country to access all system ports of WHM, cpanel, FTP, SSH etc?

 

[Infopro]

Welcome to the wonderful world of Web Hosting! We're glad you're here.

Your firewall is blocking that one as well, as you might expect/want.

Next, it'll be distributed ftpd, pop3d, imapd attacks from somewhere else, on some other continent from some other IP. Blocking the ones being blocked should be less of a concern than the ones that aren't.

You might want to take a closer look at how your firewall works. There are options for blocking countries under this heading:
Country Code Lists and Settings

Do mind the warnings though.

 

[Gauravk]

Thanks infopro, for all heads up. I highly agree in blocking whats upcoming than what is already blocked by cphulk.

With respect to same i figured out countries option in csf, entered my country in CC_ALLOW_FILTER = and it worked like a charm and all ports were accessible from my place and outside everything was locked down. Great. Though even port 80 got blocked lololol.

Any luck in telling csf to override port 80 and allow all from outside?

 

[Infopro]

This is where the road turns for you and I, friend. ConfigServer Firewall is not a cPanel product. You might want to read up on the docs a bit more, check out the CSF forums etc. You already know what you're looking for, details on CC_ALLOW_FILTER

I'm not avoiding the question, but you need to know where to go for details on how the firewall works. These details are important.
ConfigServer Community Forum

Good luck with this. You're not alone.

 

[SageBrian]

It's not the warnings you should be concerned with. It's the possible access that is not caught by the firewall. Sleep well.

The first time you see how many attempts are made on a server, it can shake you. And you realize that the only true way your server can be completely secure and protected is if it was disconnected from the network.

So, get to know CSF more, follow Best Practices, and watch for any patterns that might indicate an issue. (that can only come with time and experience). And crack down on the customers that are ignorant about keeping their scripts updated. The amount of designers creating WordPress sites and just leaving them untouched and not updated... simply astounding.

Utilize ConfigServer's CXS to check for those slackers.