My server got attacked on the "smtp", is it dangerous?

calvinphanctt

Active Member
Mar 27, 2007
44
0
156
Hi everyone,

Recently, my server got attacked on the "smtp", he tried to use different IPs from different countries.

What is the purpose? What can he do with that attack on my server ?

Here is an example of notifications which I received from my server:

Code:
IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3


Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 180.210.151.130
Authentication Database: system
Username: liemlam
Origin Country: Bangladesh (BD)

Please use the following links to add to the black list:

Single IP: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.130
      /24: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.0/24
      /16: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.0.0/16


Please use the following links to add to the white list:

Single IP: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.130
      /24: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.0/24
      /16: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.0.0/16


OR =========================

IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3


Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 188.253.19.20
Authentication Database: mail
Username: [email protected]
Origin Country: Iran, Islamic Republic of (IR)

Please use the following links to add to the black list:

IP reached maximum auth failures
Number of authentication failures: 3
Maximum allowed authentication failures: 3

OR===============

Last authentication request
===========================
Service: smtp
Local IP Address: 146.xxx.xxx.xxx
Remote IP Address: 2.135.128.12
Authentication Database: mail
Username: [email protected]
Reverse DNS: 2.135.128.12.megaline.telecom.kz
Origin Country: Kazakhstan (KZ)

Please use the following links to add to the black list:
Thank you for your help !

Sincerely,
Calvin
 
Last edited by a moderator:

LostNerd

Well-Known Member
Mar 12, 2014
258
12
18
Hastings, East Sussex, UK
cPanel Access Level
Root Administrator
Twitter
Hi Calvin,

Usually, I believe this to be spammers attempting to gain unauthorized access to your SMTP server by guessing different aliases on the domain that they are trying to log in with to begin using it as a relay for their bad deeds! I get these often (but not too often to worry!). It happens.

It's not too bad as cPHulk has obviously detected and blocked the IP's however, I suggest you also use CSF (If you're not already). It's a great tool that will perm block these IP's after too many failed attempts.
 
Jun 4, 2015
18
0
1
India
cPanel Access Level
Root Administrator
every week I get 2k emails like these, Now i am used to seeing these in my account.
if you get few ip, then blacklist them to make sure that those Ip will never login into your system again but these guys always attack from other ip address.

there's no solution to this and nothing to be worried about. you are safe unless you have kept a lame username and password, if this is the case, then change it immediately
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

Yes, as mentioned, there's nothing you can really do to prevent someone from attempting to brute force a username/password, but utilizing cPHulk and installing a firewall such as CSF is often a good way to ensure the IP addresses are detected and blocked.

Thank you.
 

calvinphanctt

Active Member
Mar 27, 2007
44
0
156
Thank you very much everyone!

This guy keep sending the failed username & password using "smtp" to my server every 3-4 minutes for couple days recently.

Now, I set my Cphulk for max failed auth = 1

Could you tell me if the Cphulk automatic block that IP address if it failed ? or I have to manually click the link which the WHM send me such as below to block that IP? I do have CSF running, is both Cphulk & CSF working at the same time ?

Thank you for your help !

Please use the following links to add to the black list:

- Removed -

Please use the following links to add to the white list:

- Removed -
 
Last edited by a moderator:

LostNerd

Well-Known Member
Mar 12, 2014
258
12
18
Hastings, East Sussex, UK
cPanel Access Level
Root Administrator
Twitter
Hi Calvin,

Having your max failed set to 1 can be dangerous. It'll only take you one wrong password attempt yourself to get blocked. I recommend at least 3 usually.

cPHulk works in the background and will do automatic blocks for you. If you edit the config in WHM, all the features available to you are there including automatic perm-blocking.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Could you tell me if the Cphulk automatic block that IP address if it failed
Hello,

You must enable "Block IP addresses at the firewall level if they trigger brute force protection" in "WHM >> cPHulk Brute Force Detection" if you want IP addresses blocked automatically.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.
Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue?

Thank you.