SMTP Auth Failure - Brute Force Attack - Blocking

djblamire

Well-Known Member
May 3, 2003
255
1
168
On my cPanel server we have recently found that we are receiving hundreds of attempts per hour to connect to our server via SMTP to send e-mails - although the SMTP authentications are successfully failing.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

cPanel and the sites on the server send out e-mail, but any mail clients should be set to send out e-mails via their own ISP's (rather than via the server).

Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

I'm concerned about the number of attempts being received.

Here is a example of one of the attempts from the logs - It appears to be a brute force attack going by the number of attempts taking place.

Code:
2015-02-24 22:00:23 SMTP connection from [201.86.105.222]:54803 (TCP/IP connection count = 1)
2015-02-24 22:00:26 dovecot_plain authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
2015-02-24 22:00:33 dovecot_login authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
2015-02-24 22:00:33 SMTP connection from (Cleiton-PC) [201.86.105.222]:54803 closed by QUIT
2015-02-24 22:00:33 SMTP connection from [201.86.105.222]:54831 (TCP/IP connection count = 1)
2015-02-24 22:00:36 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
Any comments/advise appreciated.

Thanks
Daniel
 

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
Do you have CSF installed.
Whilst this won't entirely eradicate the attempts, it will blacklist their IP and slow them down, making them go elsewhere.
I have mine set for 3 failed SMPT login attempts and your IP is blacklisted.
I have seen situations where they instantly return via a proxy, but after 2 or 3 proxyies, they get the message and move on.
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Do you have CSF installed.
Whilst this won't entirely eradicate the attempts, it will blacklist their IP and slow them down, making them go elsewhere.
I have mine set for 3 failed SMPT login attempts and your IP is blacklisted.
I have seen situations where they instantly return via a proxy, but after 2 or 3 proxyies, they get the message and move on.
Thanks for your reply.

I already have CSF installed and have it set to block after 3 failed attempts. I've also increased the size of the block list to 500. Unfortunately they are coming through so quickly that this gets overwritten - They are coming from literally hundreds and hundreds of different IP addresses.
 

keat63

Well-Known Member
Nov 20, 2014
1,899
253
113
cPanel Access Level
Root Administrator
What about this.


https://documentation.cpanel.net/display/CKB/How+to+Prevent+Email+Abuse


Enable SMTP Restrictions

When you enable WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions), spammers cannot directly interact with remote mail servers. This is a common tactic for spammers who try to work around mail security settings.
To enable this feature, perform the following steps:
Navigate to WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions).
Click Enable to restrict outgoing email connection attempts to the mail transfer agent (MTA), the mailman system user, and the root user.

This forces both scripts and users to use Exim's Sendmail binary, which helps prevent direct access to the socket.

Although on 11.48 this setting appears to be in Tweak Settings >> Mail.
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
Is there no way to stop them even trying to login ? - Somehow disable the facility for sending emails via the server from an external address ? - ie, so emails can go out from the server, and individuals can use their ISP's SMTP server for outgoing e-mail instead ?
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
I think that's my point. They are being stopped from logging in.
I understand - but if I can somehow disable the SMTP function for this, then they wouldn't even get the prompt - so can't even attempt to login..
 

davorg

Active Member
May 13, 2013
32
3
58
cPanel Access Level
Root Administrator
I'm only talking about SMTP on port 25 for outgoing email from the server, not for users picking up their e-mail via POP3.

Thanks
They are trying to send you mail on SMTP port 25. They don't try to login to POP3/IMAP. This is nothing special. In last two days I have 1000 mails/hour from CSF. You can disable receiving this mails in conf file (for a few days).

-- Davor
 

djblamire

Well-Known Member
May 3, 2003
255
1
168
They are trying to send you mail on SMTP port 25. They don't try to login to POP3/IMAP. This is nothing special. In last two days I have 1000 mails/hour from CSF. You can disable receiving this mails in conf file (for a few days).

-- Davor
That's the thing - They are not trying to send mail to the server, but send e-mail via the server (ie, use the server for sending out spam e-mails).