The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mail auth failure from 192.168.2.33 (spoofed IP)

Discussion in 'E-mail Discussions' started by dayron, Feb 7, 2014.

  1. dayron

    dayron Registered

    Joined:
    Feb 7, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Hello,
    I am running cpanel 11.40.1 using Exim.

    My server is getting hammered with failed logins like the ones below. They are coming from all over the world from different IP addresses. My firewall eventually blocks them. But the common factor is the second IP address listed in the log files which is 192.168.2.33. From what I've read the bot(s) launching these attacks spoofs the IP address 192.168.2.33. Adding that IP address to my firewall does not stop the issue.
    What can I do to reject any incoming request from a source that uses 192.168.2.33 in its attempt to connect from ever being able to connect at all?

    I've read some resources on the web but some of the info doesn't seem complete when discussing editing the EXIM config file etc. Can someone give specific instructions on what I need to do in the cpanel implementation of Exim to stop this? BTW 192.168.2.33 is not my server's internal IP address. So adding rules to prevent mail delivery form my internal IP address or range does not work. Any help would be much appreciated.

    2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
    2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
    2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
    2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
    2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    These types of attacks are pretty tricky, because to stop the connections your only real option is to block the public IPs connecting. Of course you know this already, and you indicated your firewall is doing this. So I guess what I'm wondering is what exactly you are trying to stop. You can't stop the attackers from trying to attack you. Are you trying to block the connections to the server altogether, or get Exim to stop allowing authentication attempts from IPs trying to brute-force you?

    Assuming the latter is your intent, fail2ban tends to handle these well from my experience, but I've never used it alongside CSF/LFD - I'd imagine there would be conflict there. For your situation, the following regex should suffice:

    Code:
    failregex = \[<HOST>\] .*(?: 535 Incorrect authentication data) 

    If you're nore sure how to install, there are a lot of guides out there, and there isn't much to consider as far as cPanel is concerned.

    Install Fail2ban (Intrusion Prevention) System on RHEL/CentOS 6.3/5.8, Fedora 17/12
     
  3. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    With regards the IP address 192.168.2.33 shown in the log, iirc I believe this is simply the local lan IP address of the machine connecting. This is shown in the log for information purposes (i.e. it's ideal if you've got one machine at a client site sending spam). While you're correct that the value is possibly being spoofed in the botnet performing this attack (I'm seeing the same), you wouldn't want to block machines with a local client IP of 192.168.2.33 from connecting in case this impacted legitimate users.

    If you want these attacks to be stopped quicker, you can tweak the thresholds at which csf applies IP blocks / distributed attacks in it's own config
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    In addition to the firewall rule suggestions from the other posters, you may want to also consider switching from Courier to Dovecot. It's more configurable and will likely provide better performance under certain types of attacks.

    Thank you.
     
  5. dayron

    dayron Registered

    Joined:
    Feb 7, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks for the replys.

    I simply want Exim to reject any attempt to connect when the hostname or HELO name is 192.168.2.33.

    192.168.2.33 in this case is not an internal IP address of a server. I have a few failed login attempts from SMTP that don't show the internal IP address of the attacker.

    So how would I set the EXIM rules in the WHM Exim config file editor to block HELO and hostnames of 192.168.2.33?

     
  6. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So after a few weeks have passed. What have you done?

    The IP is common on certain routers (e.g. German Telekom Speedports), which start DHCP range on 192.168.2.33. So the first Device gets this 192.168.2.33. I have brute force attacks every day with this hostname.

    I wondered why you focus on EXIM, since your logfile indicated IMAP/POP3 courier as the target.
    If the connection is from a legitimate device with 192.168.2.33 a complete block looks not the best way.

    And since mostly dialup accounts from big ISP use these routers, you got a lot of public IPs as well, which cannot be blocked all the time.
     
  7. shenzy

    shenzy Well-Known Member

    Joined:
    Apr 27, 2008
    Messages:
    66
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Chile
    cPanel Access Level:
    Root Administrator
    Maybe ConfigServer Security & Firewall (csf) can help you... check the option of "Distributed Login Failure Attack detection".
    Even blocking by country codes can help you.
     
Loading...

Share This Page