The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My server got attacked on the "smtp", is it dangerous?

Discussion in 'Security' started by calvinphanctt, Jun 4, 2015.

  1. calvinphanctt

    calvinphanctt Active Member

    Joined:
    Mar 27, 2007
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Hi everyone,

    Recently, my server got attacked on the "smtp", he tried to use different IPs from different countries.

    What is the purpose? What can he do with that attack on my server ?

    Here is an example of notifications which I received from my server:

    Code:
    IP reached maximum auth failures
    Number of authentication failures: 3
    Maximum allowed authentication failures: 3
    
    
    Last authentication request
    ===========================
    Service: smtp
    Local IP Address: 146.xxx.xxx.xxx
    Remote IP Address: 180.210.151.130
    Authentication Database: system
    Username: liemlam
    Origin Country: Bangladesh (BD)
    
    Please use the following links to add to the black list:
    
    Single IP: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.130
          /24: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.0/24
          /16: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.0.0/16
    
    
    Please use the following links to add to the white list:
    
    Single IP: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.130
          /24: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.0/24
          /16: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.0.0/16
    
    
    OR =========================
    
    IP reached maximum auth failures
    Number of authentication failures: 3
    Maximum allowed authentication failures: 3
    
    
    Last authentication request
    ===========================
    Service: smtp
    Local IP Address: 146.xxx.xxx.xxx
    Remote IP Address: 188.253.19.20
    Authentication Database: mail
    Username: liemlam@myserver.com
    Origin Country: Iran, Islamic Republic of (IR)
    
    Please use the following links to add to the black list:
    
    IP reached maximum auth failures
    Number of authentication failures: 3
    Maximum allowed authentication failures: 3
    
    OR===============
    
    Last authentication request
    ===========================
    Service: smtp
    Local IP Address: 146.xxx.xxx.xxx
    Remote IP Address: 2.135.128.12
    Authentication Database: mail
    Username: liemlam@myserver.com
    Reverse DNS: 2.135.128.12.megaline.telecom.kz
    Origin Country: Kazakhstan (KZ)
    
    Please use the following links to add to the black list:
    
    
    Thank you for your help !

    Sincerely,
    Calvin
     
    #1 calvinphanctt, Jun 4, 2015
    Last edited by a moderator: Jun 4, 2015
  2. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Calvin,

    Usually, I believe this to be spammers attempting to gain unauthorized access to your SMTP server by guessing different aliases on the domain that they are trying to log in with to begin using it as a relay for their bad deeds! I get these often (but not too often to worry!). It happens.

    It's not too bad as cPHulk has obviously detected and blocked the IP's however, I suggest you also use CSF (If you're not already). It's a great tool that will perm block these IP's after too many failed attempts.
     
  3. swatkatsdevilz

    Joined:
    Jun 4, 2015
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    every week I get 2k emails like these, Now i am used to seeing these in my account.
    if you get few ip, then blacklist them to make sure that those Ip will never login into your system again but these guys always attack from other ip address.

    there's no solution to this and nothing to be worried about. you are safe unless you have kept a lame username and password, if this is the case, then change it immediately
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, as mentioned, there's nothing you can really do to prevent someone from attempting to brute force a username/password, but utilizing cPHulk and installing a firewall such as CSF is often a good way to ensure the IP addresses are detected and blocked.

    Thank you.
     
  5. calvinphanctt

    calvinphanctt Active Member

    Joined:
    Mar 27, 2007
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Thank you very much everyone!

    This guy keep sending the failed username & password using "smtp" to my server every 3-4 minutes for couple days recently.

    Now, I set my Cphulk for max failed auth = 1

    Could you tell me if the Cphulk automatic block that IP address if it failed ? or I have to manually click the link which the WHM send me such as below to block that IP? I do have CSF running, is both Cphulk & CSF working at the same time ?

    Thank you for your help !

    Please use the following links to add to the black list:

    - Removed -

    Please use the following links to add to the white list:

    - Removed -
     
    #5 calvinphanctt, Jun 7, 2015
    Last edited by a moderator: Jun 8, 2015
  6. LostNerd

    LostNerd Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    258
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Hastings, East Sussex, UK
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Calvin,

    Having your max failed set to 1 can be dangerous. It'll only take you one wrong password attempt yourself to get blocked. I recommend at least 3 usually.

    cPHulk works in the background and will do automatic blocks for you. If you edit the config in WHM, all the features available to you are there including automatic perm-blocking.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You must enable "Block IP addresses at the firewall level if they trigger brute force protection" in "WHM >> cPHulk Brute Force Detection" if you want IP addresses blocked automatically.

    Thank you.
     
  8. swatkatsdevilz

    Joined:
    Jun 4, 2015
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue?

    Thank you.
     
  10. swatkatsdevilz

    Joined:
    Jun 4, 2015
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I am giving suggestion.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    As mentioed earlier CSF will do this work for you as and when it happens automatically.
     
Loading...

Share This Page