The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP Auth Failure - Brute Force Attack - Blocking

Discussion in 'E-mail Discussions' started by djblamire, Feb 24, 2015.

  1. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    On my cPanel server we have recently found that we are receiving hundreds of attempts per hour to connect to our server via SMTP to send e-mails - although the SMTP authentications are successfully failing.

    These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

    cPanel and the sites on the server send out e-mail, but any mail clients should be set to send out e-mails via their own ISP's (rather than via the server).

    Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

    I'm concerned about the number of attempts being received.

    Here is a example of one of the attempts from the logs - It appears to be a brute force attack going by the number of attempts taking place.

    Code:
    2015-02-24 22:00:23 SMTP connection from [201.86.105.222]:54803 (TCP/IP connection count = 1)
    2015-02-24 22:00:26 dovecot_plain authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
    2015-02-24 22:00:33 dovecot_login authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
    2015-02-24 22:00:33 SMTP connection from (Cleiton-PC) [201.86.105.222]:54803 closed by QUIT
    2015-02-24 22:00:33 SMTP connection from [201.86.105.222]:54831 (TCP/IP connection count = 1)
    2015-02-24 22:00:36 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t
    
    Any comments/advise appreciated.

    Thanks
    Daniel
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Do you have CSF installed.
    Whilst this won't entirely eradicate the attempts, it will blacklist their IP and slow them down, making them go elsewhere.
    I have mine set for 3 failed SMPT login attempts and your IP is blacklisted.
    I have seen situations where they instantly return via a proxy, but after 2 or 3 proxyies, they get the message and move on.
     
  3. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for your reply.

    I already have CSF installed and have it set to block after 3 failed attempts. I've also increased the size of the block list to 500. Unfortunately they are coming through so quickly that this gets overwritten - They are coming from literally hundreds and hundreds of different IP addresses.
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What about this.


    https://documentation.cpanel.net/display/CKB/How+to+Prevent+Email+Abuse


    Enable SMTP Restrictions

    When you enable WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions), spammers cannot directly interact with remote mail servers. This is a common tactic for spammers who try to work around mail security settings.
    To enable this feature, perform the following steps:
    Navigate to WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions).
    Click Enable to restrict outgoing email connection attempts to the mail transfer agent (MTA), the mailman system user, and the root user.

    This forces both scripts and users to use Exim's Sendmail binary, which helps prevent direct access to the socket.

    Although on 11.48 this setting appears to be in Tweak Settings >> Mail.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you have: SMTP_BLOCK enabled in CSF, I believe you need to leave that one in:
    Home » Security Center » SMTP Restrictions

    Disabled.
     
  6. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for both replies.

    Any other ideas ??
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    That link above to the cPanel Documentation concerning email abuse has quite a few more ideas. :)
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Do you have CSF installer on your server?
     
  9. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Yes, CSF is installed and the IP's are being blocked after two attempts, but there are just far too many different IP addresses attempting this :(
     
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I almost hate to say this as I don't want to make light of the issue you're facing, but, the system is doing what you want it to do. The attacks will pass and there will be more to follow, you can count on it. Keep the doors locked tight.
     
  11. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Is there no way to stop them even trying to login ? - Somehow disable the facility for sending emails via the server from an external address ? - ie, so emails can go out from the server, and individuals can use their ISP's SMTP server for outgoing e-mail instead ?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think that's my point. They are being stopped from logging in.
     
  13. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    I understand - but if I can somehow disable the SMTP function for this, then they wouldn't even get the prompt - so can't even attempt to login..
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How will your valid users login to check their email?
     
  15. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    I'm only talking about SMTP on port 25 for outgoing email from the server, not for users picking up their e-mail via POP3.

    Thanks
     
  16. davorg

    davorg Member

    Joined:
    May 13, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    They are trying to send you mail on SMTP port 25. They don't try to login to POP3/IMAP. This is nothing special. In last two days I have 1000 mails/hour from CSF. You can disable receiving this mails in conf file (for a few days).

    -- Davor
     
  17. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    That's the thing - They are not trying to send mail to the server, but send e-mail via the server (ie, use the server for sending out spam e-mails).
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  19. djblamire

    djblamire Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    16
    Thanks - I understand this. I wasn't referring to blocking port 25, but trying to block smtp auth requests.
     
Loading...

Share This Page