Hello,
I am running cpanel 11.40.1 using Exim.
My server is getting hammered with failed logins like the ones below. They are coming from all over the world from different IP addresses. My firewall eventually blocks them. But the common factor is the second IP address listed in the log files which is 192.168.2.33. From what I've read the bot(s) launching these attacks spoofs the IP address 192.168.2.33. Adding that IP address to my firewall does not stop the issue.
What can I do to reject any incoming request from a source that uses 192.168.2.33 in its attempt to connect from ever being able to connect at all?
I've read some resources on the web but some of the info doesn't seem complete when discussing editing the EXIM config file etc. Can someone give specific instructions on what I need to do in the cpanel implementation of Exim to stop this? BTW 192.168.2.33 is not my server's internal IP address. So adding rules to prevent mail delivery form my internal IP address or range does not work. Any help would be much appreciated.
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
I am running cpanel 11.40.1 using Exim.
My server is getting hammered with failed logins like the ones below. They are coming from all over the world from different IP addresses. My firewall eventually blocks them. But the common factor is the second IP address listed in the log files which is 192.168.2.33. From what I've read the bot(s) launching these attacks spoofs the IP address 192.168.2.33. Adding that IP address to my firewall does not stop the issue.
What can I do to reject any incoming request from a source that uses 192.168.2.33 in its attempt to connect from ever being able to connect at all?
I've read some resources on the web but some of the info doesn't seem complete when discussing editing the EXIM config file etc. Can someone give specific instructions on what I need to do in the cpanel implementation of Exim to stop this? BTW 192.168.2.33 is not my server's internal IP address. So adding rules to prevent mail delivery form my internal IP address or range does not work. Any help would be much appreciated.
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:56 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)
2014-02-07 23:38:57 courier_login authenticator failed for ([192.168.2.33]) [190.5.230.178]:13228: 535 Incorrect authentication data (set_id=reception)