mail auth failure from 192.168.2.33 (spoofed IP)

[dayron]

Hello,
I am running cpanel 11.40.1 using Exim.

My server is getting hammered with failed logins like the ones below. They are coming from all over the world from different IP addresses. My firewall eventually blocks them. But the common factor is the second IP address listed in the log files which is 192.168.2.33. From what I've read the bot(s) launching these attacks spoofs the IP address 192.168.2.33. Adding that IP address to my firewall does not stop the issue.
What can I do to reject any incoming request from a source that uses 192.168.2.33 in its attempt to connect from ever being able to connect at all?

I've read some resources on the web but some of the info doesn't seem complete when discussing editing the EXIM config file etc. Can someone give specific instructions on what I need to do in the cpanel implementation of Exim to stop this? BTW 192.168.2.33 is not my server's internal IP address. So adding rules to prevent mail delivery form my internal IP address or range does not work. Any help would be much appreciated.

2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)

 

[vanessa]

These types of attacks are pretty tricky, because to stop the connections your only real option is to block the public IPs connecting. Of course you know this already, and you indicated your firewall is doing this. So I guess what I'm wondering is what exactly you are trying to stop. You can't stop the attackers from trying to attack you. Are you trying to block the connections to the server altogether, or get Exim to stop allowing authentication attempts from IPs trying to brute-force you?

Assuming the latter is your intent, fail2ban tends to handle these well from my experience, but I've never used it alongside CSF/LFD - I'd imagine there would be conflict there. For your situation, the following regex should suffice:

failregex = \[<HOST>\] .*(?: 535 Incorrect authentication data)

If you're nore sure how to install, there are a lot of guides out there, and there isn't much to consider as far as cPanel is concerned.

Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12

 

[ThinIce]

With regards the IP address 192.168.2.33 shown in the log, iirc I believe this is simply the local lan IP address of the machine connecting. This is shown in the log for information purposes (i.e. it's ideal if you've got one machine at a client site sending spam). While you're correct that the value is possibly being spoofed in the botnet performing this attack (I'm seeing the same), you wouldn't want to block machines with a local client IP of 192.168.2.33 from connecting in case this impacted legitimate users.

If you want these attacks to be stopped quicker, you can tweak the thresholds at which csf applies IP blocks / distributed attacks in it's own config

 

[cPanelMichael]

Hello

In addition to the firewall rule suggestions from the other posters, you may want to also consider switching from Courier to Dovecot. It's more configurable and will likely provide better performance under certain types of attacks.

Thank you.

 

[dayron]

Thanks for the replys.

I simply want Exim to reject any attempt to connect when the hostname or HELO name is 192.168.2.33.

192.168.2.33 in this case is not an internal IP address of a server. I have a few failed login attempts from SMTP that don't show the internal IP address of the attacker.

So how would I set the EXIM rules in the WHM Exim config file editor to block HELO and hostnames of 192.168.2.33?

These types of attacks are pretty tricky, because to stop the connections your only real option is to block the public IPs connecting. Of course you know this already, and you indicated your firewall is doing this. So I guess what I'm wondering is what exactly you are trying to stop. You can't stop the attackers from trying to attack you. Are you trying to block the connections to the server altogether, or get Exim to stop allowing authentication attempts from IPs trying to brute-force you?

Assuming the latter is your intent, fail2ban tends to handle these well from my experience, but I've never used it alongside CSF/LFD - I'd imagine there would be conflict there. For your situation, the following regex should suffice:

failregex = \[<HOST>\] .*(?: 535 Incorrect authentication data)

If you're nore sure how to install, there are a lot of guides out there, and there isn't much to consider as far as cPanel is concerned.

Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12

 

[lorio]

I simply want Exim to reject any attempt to connect when the hostname or HELO name is 192.168.2.33.

So after a few weeks have passed. What have you done?

The IP is common on certain routers (e.g. German Telekom Speedports), which start DHCP range on 192.168.2.33. So the first Device gets this 192.168.2.33. I have brute force attacks every day with this hostname.

I wondered why you focus on EXIM, since your logfile indicated IMAP/POP3 courier as the target.
If the connection is from a legitimate device with 192.168.2.33 a complete block looks not the best way.

And since mostly dialup accounts from big ISP use these routers, you got a lot of public IPs as well, which cannot be blocked all the time.

 

[shenzy]

Maybe ConfigServer Security & Firewall (csf) can help you... check the option of "Distributed Login Failure Attack detection".
Even blocking by country codes can help you.