The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD attack SMTPAuth

Discussion in 'Security' started by Gauravk, Feb 23, 2014.

  1. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi Guys,

    Since yesterday every now and then i am receiving Login Failure emails. So far 184 attack recorded in less than 12 hours. It's fully randomize as every time i see new country IP and no pattern on timing have been identified yet.

    To be on safe side, i have reduce the 5 wrong login attempt to 1 (I know I have to be very careful logging in now). Is there anything else I can do to improve the security of my server.

    I have standard CSF installed as well and its blocking such IP successfully. 95% of attack are on smtpauth, is there any way i can change the webmail link to something else? Please advise how. Thanks.
     
  2. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Guys please help, attack still ongoing.

    How can I disable webmail completely as none of my domain uses webmail at all.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Disabling Webmail won't help. Your firewall is doing its job. Make sure all email accounts, like, admin@ anydomain.com are using very strong passwords. And be sure to whitelist your own account to bypass all checks so you don't get locked out.
     
  4. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks infopro, I removed these two 2095,2096 ports from CSF to stop the LFD attack thru webmail. Looks like it worked.

    http://forums.cpanel.net/f5/completely-remove-webmail-access-361351.html

    - - - Updated - - -

    I was wrong and it didn't worked and then I got to remove port 25 and 587 as well to stop this attack. I am just worried about the server safety and continuity and not only of emails. Hope this it....!
     
  5. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Now new stuff started happening:
    5 failed login attempts to account XXXXXXXXXXXX (system) -- Large number of attempts from this IP: 36.250.229.35 Origin Country: China (CN)

    How can i block all country except my country to access all system ports of WHM, cpanel, FTP, SSH etc?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Welcome to the wonderful world of Web Hosting! We're glad you're here. :)

    Your firewall is blocking that one as well, as you might expect/want.

    Next, it'll be distributed ftpd, pop3d, imapd attacks from somewhere else, on some other continent from some other IP. Blocking the ones being blocked should be less of a concern than the ones that aren't.

    You might want to take a closer look at how your firewall works. There are options for blocking countries under this heading:
    Country Code Lists and Settings

    Do mind the warnings though.
     
  7. Gauravk

    Gauravk Well-Known Member

    Joined:
    Jan 23, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks infopro, for all heads up. I highly agree in blocking whats upcoming than what is already blocked by cphulk.

    With respect to same i figured out countries option in csf, entered my country in CC_ALLOW_FILTER = and it worked like a charm and all ports were accessible from my place and outside everything was locked down. Great. Though even port 80 got blocked lololol.

    Any luck in telling csf to override port 80 and allow all from outside?
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    This is where the road turns for you and I, friend. ConfigServer Firewall is not a cPanel product. You might want to read up on the docs a bit more, check out the CSF forums etc. You already know what you're looking for, details on CC_ALLOW_FILTER

    I'm not avoiding the question, but you need to know where to go for details on how the firewall works. These details are important.
    ConfigServer Community Forum

    Good luck with this. You're not alone. :)
     
  9. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    It's not the warnings you should be concerned with. It's the possible access that is not caught by the firewall. :) Sleep well.

    The first time you see how many attempts are made on a server, it can shake you. And you realize that the only true way your server can be completely secure and protected is if it was disconnected from the network.

    So, get to know CSF more, follow Best Practices, and watch for any patterns that might indicate an issue. (that can only come with time and experience). And crack down on the customers that are ignorant about keeping their scripts updated. The amount of designers creating WordPress sites and just leaving them untouched and not updated... simply astounding.

    Utilize ConfigServer's CXS to check for those slackers.
     
Loading...

Share This Page