Question about SMTP brute force

[Drumrocker365]

Hi,

Yesterday, my cPanel was successfully brute forced by hackers. The authentication method was SMTP, and they sent over 500 spam emails using my address. I increased my password strength, and made my server security a little more picky (especially on cPHulk). This morning, there were another 15 attempts from 15 different IPs. cPHulk stopped all of the attempts, and as of now my account is still secured. All I'm wondering is, is there anything I can change to further improve my security? Is there some insecure login method I have enabled that I don't know about that's an easy backdoor for hackers?

Thanks,
Christian

 

[redesignunit]

you need check this thread for more security help cPHulk Brute Force Protection - Documentation - cPanel Documentation

 

[Drumrocker365]

you need check this thread for more security help cPHulk Brute Force Protection - Documentation - cPanel Documentation

Hi,

I already have cPHulk enabled, but my question was if I should be doing anything outside of that to add additional protection (such as 3rd party firewalls, etc.).

 

[Infopro]

If you don't have ConfigServer firewall installed, you should.

 

[Drumrocker365]

If you don't have ConfigServer firewall installed, you should.

Hi,

I tried to install ConfigServer Firewall several times and it made my VPS dysfunctional. Not even I could connect to it. I had to carefully disable it by using the one way I could get in.

 

[Infopro]

The default installation is set to test mode to prevent an issue. It's the very first setting:

Testing flag - enables a CRON job that clears iptables incase of
configuration problems when you start csf. This should be enabled until you
are sure that the firewall works - i.e. incase you get locked out of your
server! Then do remember to set it to 0 and restart csf when you're sure
everything is OK. Stopping csf will remove the line from /etc/crontab

lfd will not start while this is enabled

The first thing you need to do after you install it, and before disabling test mode is, add your IP address to the csf.ignore file. You'll find an option/menu to do that on the CSF main page, under this section:
lfd - Login Failure Daemon

Your IP should already be in the cPHulk whitelist too, of course.

 

[Drumrocker365]

The default installation is set to test mode to prevent an issue. It's the very first setting:



The first thing you need to do after you install it, and before disabling test mode is, add your IP address to the csf.ignore file. You'll find an option/menu to do that on the CSF main page, under this section:
lfd - Login Failure Daemon

Your IP should already be in the cPHulk whitelist too, of course.

But what good is white listing my IP if other people won't be able to access it either.. Sorry I'm a noob about firewalls and stuff..

 

[Infopro]

Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on.

A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things.

It will also make your server far more secure than you are right now.

 

[Drumrocker365]

Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on.

A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things.

It will also make your server far more secure than you are right now.

Alright, well, I'll try to install and configure again when I can..

 

[Drumrocker365]

Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on.

A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things.

It will also make your server far more secure than you are right now.

I installed ConfigServer and white listed my IP. I also read that you need to whitelist 0.0.0.0/0 for it to work. I did that and it seems to be working for me.. I hope it works for everyone else too.

 

[Infopro]

Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers.

Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings.

You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high.

Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first.

And there's more reading here too:
http://download.configserver.com/csf/readme.txt

Dialing this in to perfection takes time, you'll be in and out of those settings for days looking for some option that you'll be alerted to by email.

One last thing, almost any question you can think of, has probably been answered on the CSF forums. Some, on these very forums as well.

Spend some real time with your new best friend, CSF. It will be worth your time, trust me.

 

[Drumrocker365]

Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers.

Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings.

You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high.

Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first.

And there's more reading here too:
http://download.configserver.com/csf/readme.txt

Dialing this in to perfection takes time, you'll be in and out of those settings for days looking for some option that you'll be alerted to by email.

One last thing, almost any question you can think of, has probably been answered on the CSF forums. Some, on these very forums as well.

Spend some real time with your new best friend, CSF. It will be worth your time, trust me.

Great! I changed the profile to protection_high and removed 0.0.0.0/0 from where I added it, and so far, it's going good. I'll do some studying on the options so I know more about it! Thanks for helping a noob like me.

 

[Drumrocker365]

Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers.

Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings.

You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high.

Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first.

And there's more reading here too:
http://download.configserver.com/csf/readme.txt

Dialing this in to perfection takes time, you'll be in and out of those settings for days looking for some option that you'll be alerted to by email.

One last thing, almost any question you can think of, has probably been answered on the CSF forums. Some, on these very forums as well.

Spend some real time with your new best friend, CSF. It will be worth your time, trust me.

aaannddd.... I removed 0.0.0.0/0 from the allow list and now I'm blocked from my server again. Does 0.0.0.0/0 need to be in there or not?

 

[Infopro]

No. Are you using an off server email address for your server emails? CSF should have fired off an email about getting blocked. Whats that email say?

Your IP is set, you shouldn't be getting blocked. Anything special about this server setup?

 

[Drumrocker365]

No. Are you using an off server email address for your server emails? CSF should have fired off an email about getting blocked. Whats that email say?

Your IP is set, you shouldn't be getting blocked. Anything special about this server setup?

No email, simply doesn't work. The email is hosted off server by gmail. There isn't anything out of the ordinary about my VPS setup.

 

[Infopro]

Are you still blocked or did you get back in using some other IP address?

 

[Drumrocker365]

Are you still blocked or did you get back in using some other IP address?

I created an emergency shell access session in SolusVM and was able to get into PuTTY and disable CSF. So yes, I am back in. CSF is currently disabled.

 

[Infopro]

Go to:

WHM »Email »Mail Delivery Reports

And search for any emails to you from "[email protected]", just when you got blocked. When you find any, check to see if they were delivered or not.

 

[Drumrocker365]

Go to:

WHM »Email »Mail Delivery Reports

And search for any emails to you from "[email protected]", just when you got blocked. When you find any, check to see if they were delivered or not.

Nothing at all.. just 2 successfully delivered ones from this morning (they told me something about a certain user using too much RAM).

 

[Infopro]

Thats odd. Who's your VPS provider if I may ask? Is this an older server?

On CSF main page, there's an option near bottom to "Test iptables" Can you set test mode to on (so you dont get blocked), enable CSF and run that test to see if it complains about anything?

The output should be something like this:

Testing iptables...

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

...Done.

You should restart csf after having run this test.