The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about SMTP brute force

Discussion in 'E-mail Discussions' started by Drumrocker365, Nov 30, 2015.

  1. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    Yesterday, my cPanel was successfully brute forced by hackers. The authentication method was SMTP, and they sent over 500 spam emails using my address. I increased my password strength, and made my server security a little more picky (especially on cPHulk). This morning, there were another 15 attempts from 15 different IPs. cPHulk stopped all of the attempts, and as of now my account is still secured. All I'm wondering is, is there anything I can change to further improve my security? Is there some insecure login method I have enabled that I don't know about that's an easy backdoor for hackers?

    Thanks,
    Christian
     
  2. redesignunit

    redesignunit Member

    Joined:
    Sep 24, 2015
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  3. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you don't have ConfigServer firewall installed, you should.
     
    redesignunit likes this.
  5. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hi,

    I tried to install ConfigServer Firewall several times and it made my VPS dysfunctional. Not even I could connect to it. I had to carefully disable it by using the one way I could get in.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The default installation is set to test mode to prevent an issue. It's the very first setting:

    The first thing you need to do after you install it, and before disabling test mode is, add your IP address to the csf.ignore file. You'll find an option/menu to do that on the CSF main page, under this section:
    lfd - Login Failure Daemon

    Your IP should already be in the cPHulk whitelist too, of course.
     
  7. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    But what good is white listing my IP if other people won't be able to access it either.. Sorry I'm a noob about firewalls and stuff..
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on.

    A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things.

    It will also make your server far more secure than you are right now.
     
  9. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Alright, well, I'll try to install and configure again when I can..
     
  10. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I installed ConfigServer and white listed my IP. I also read that you need to whitelist 0.0.0.0/0 for it to work. I did that and it seems to be working for me.. I hope it works for everyone else too.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers.

    Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings.

    You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high.

    Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first.

    And there's more reading here too:
    http://download.configserver.com/csf/readme.txt

    Dialing this in to perfection takes time, you'll be in and out of those settings for days looking for some option that you'll be alerted to by email.

    One last thing, almost any question you can think of, has probably been answered on the CSF forums. Some, on these very forums as well.

    Spend some real time with your new best friend, CSF. It will be worth your time, trust me. :cool:
     
  12. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Great! I changed the profile to protection_high and removed 0.0.0.0/0 from where I added it, and so far, it's going good. I'll do some studying on the options so I know more about it! Thanks for helping a noob like me. :rolleyes:
     
  13. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    aaannddd.... I removed 0.0.0.0/0 from the allow list and now I'm blocked from my server again. Does 0.0.0.0/0 need to be in there or not?
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No. Are you using an off server email address for your server emails? CSF should have fired off an email about getting blocked. Whats that email say?

    Your IP is set, you shouldn't be getting blocked. Anything special about this server setup?
     
  15. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    No email, simply doesn't work. The email is hosted off server by gmail. There isn't anything out of the ordinary about my VPS setup.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you still blocked or did you get back in using some other IP address?
     
  17. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I created an emergency shell access session in SolusVM and was able to get into PuTTY and disable CSF. So yes, I am back in. CSF is currently disabled.
     
  18. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Go to:

    WHM »Email »Mail Delivery Reports

    And search for any emails to you from "root@your.server.com", just when you got blocked. When you find any, check to see if they were delivered or not.
     
  19. Drumrocker365

    Drumrocker365 Well-Known Member

    Joined:
    Apr 15, 2014
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Nothing at all.. just 2 successfully delivered ones from this morning (they told me something about a certain user using too much RAM).
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thats odd. Who's your VPS provider if I may ask? Is this an older server?

    On CSF main page, there's an option near bottom to "Test iptables" Can you set test mode to on (so you dont get blocked), enable CSF and run that test to see if it complains about anything?

    The output should be something like this:

    Code:
    Testing iptables...
    
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    
    RESULT: csf should function on this server
    
    ...Done.
    
    You should restart csf after having run this test.
     
Loading...

Share This Page