My server got attacked on the "smtp", is it dangerous?

[calvinphanctt]

Hi everyone,

Recently, my server got attacked on the "smtp", he tried to use different IPs from different countries.

What is the purpose? What can he do with that attack on my server ?

Here is an example of notifications which I received from my server:

IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3


Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 180.210.151.130
Authentication Database: system
Username: liemlam
Origin Country: Bangladesh (BD)

Please use the following links to add to the black list:

Single IP: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.130
      /24: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.0/24
      /16: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.0.0/16


Please use the following links to add to the white list:

Single IP: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.130
      /24: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.0/24
      /16: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.0.0/16


OR =========================

IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3


Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 188.253.19.20
Authentication Database: mail
Username: [email protected]
Origin Country: Iran, Islamic Republic of (IR)

Please use the following links to add to the black list:

IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3

OR===============

Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 2.135.128.12
Authentication Database: mail
Username: [email protected]
Reverse DNS: 2.135.128.12.megaline.telecom.kz
Origin Country: Kazakhstan (KZ)

Please use the following links to add to the black list:

Thank you for your help !

Sincerely,
Calvin

 

[LostNerd]

Hi Calvin,

Usually, I believe this to be spammers attempting to gain unauthorized access to your SMTP server by guessing different aliases on the domain that they are trying to log in with to begin using it as a relay for their bad deeds! I get these often (but not too often to worry!). It happens.

It's not too bad as cPHulk has obviously detected and blocked the IP's however, I suggest you also use CSF (If you're not already). It's a great tool that will perm block these IP's after too many failed attempts.

 

[swatkatsdevilz]

every week I get 2k emails like these, Now i am used to seeing these in my account.
if you get few ip, then blacklist them to make sure that those Ip will never login into your system again but these guys always attack from other ip address.

there's no solution to this and nothing to be worried about. you are safe unless you have kept a lame username and password, if this is the case, then change it immediately

 

[cPanelMichael]

Hello,

Yes, as mentioned, there's nothing you can really do to prevent someone from attempting to brute force a username/password, but utilizing cPHulk and installing a firewall such as CSF is often a good way to ensure the IP addresses are detected and blocked.

Thank you.

 

[calvinphanctt]

Thank you very much everyone!

This guy keep sending the failed username & password using "smtp" to my server every 3-4 minutes for couple days recently.

Now, I set my Cphulk for max failed auth = 1

Could you tell me if the Cphulk automatic block that IP address if it failed ? or I have to manually click the link which the WHM send me such as below to block that IP? I do have CSF running, is both Cphulk & CSF working at the same time ?

Thank you for your help !

Please use the following links to add to the black list:

- Removed -

Please use the following links to add to the white list:

- Removed -

 

[LostNerd]

Hi Calvin,

Having your max failed set to 1 can be dangerous. It'll only take you one wrong password attempt yourself to get blocked. I recommend at least 3 usually.

cPHulk works in the background and will do automatic blocks for you. If you edit the config in WHM, all the features available to you are there including automatic perm-blocking.

 

[cPanelMichael]

Could you tell me if the Cphulk automatic block that IP address if it failed

Hello,

You must enable "Block IP addresses at the firewall level if they trigger brute force protection" in "WHM >> cPHulk Brute Force Detection" if you want IP addresses blocked automatically.

Thank you.

 

[swatkatsdevilz]

I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.

 

[cPanelMichael]

I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.

Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue?

Thank you.

 

[swatkatsdevilz]

Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue?

Thank you.

I am giving suggestion.

 

[keat63]

As mentioed earlier CSF will do this work for you as and when it happens automatically.