SMTP Auth Failure - Brute Force Attack - Blocking

[HappymanUK]

On my cPanel server we have recently found that we are receiving hundreds of attempts per hour to connect to our server via SMTP to send e-mails - although the SMTP authentications are successfully failing.

These are from many countries including Serbia, Russia, Taiwan, Vietnam, Libya and many more.

cPanel and the sites on the server send out e-mail, but any mail clients should be set to send out e-mails via their own ISP's (rather than via the server).

Is there a way to block access to any remote connections trying to send e-mail out using the server this way ?

I'm concerned about the number of attempts being received.

Here is a example of one of the attempts from the logs - It appears to be a brute force attack going by the number of attempts taking place.

2015-02-24 22:00:23 SMTP connection from [201.86.105.222]:54803 (TCP/IP connection count = 1)
2015-02-24 22:00:26 dovecot_plain authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
2015-02-24 22:00:33 dovecot_login authenticator failed for (Cleiton-PC) [201.86.105.222]:54803: 535 Incorrect authentication data (set_id=dybattelle)
2015-02-24 22:00:33 SMTP connection from (Cleiton-PC) [201.86.105.222]:54803 closed by QUIT
2015-02-24 22:00:33 SMTP connection from [201.86.105.222]:54831 (TCP/IP connection count = 1)
2015-02-24 22:00:36 cwd=/etc/csf 4 args: /usr/sbin/sendmail -f root -t

Any comments/advise appreciated.

Thanks
Daniel

 

[keat63]

Do you have CSF installed.
Whilst this won't entirely eradicate the attempts, it will blacklist their IP and slow them down, making them go elsewhere.
I have mine set for 3 failed SMPT login attempts and your IP is blacklisted.
I have seen situations where they instantly return via a proxy, but after 2 or 3 proxyies, they get the message and move on.

 

[HappymanUK]

Do you have CSF installed.
Whilst this won't entirely eradicate the attempts, it will blacklist their IP and slow them down, making them go elsewhere.
I have mine set for 3 failed SMPT login attempts and your IP is blacklisted.
I have seen situations where they instantly return via a proxy, but after 2 or 3 proxyies, they get the message and move on.

Thanks for your reply.

I already have CSF installed and have it set to block after 3 failed attempts. I've also increased the size of the block list to 500. Unfortunately they are coming through so quickly that this gets overwritten - They are coming from literally hundreds and hundreds of different IP addresses.

 

[keat63]

What about this.


https://documentation.cpanel.net/display/CKB/How+to+Prevent+Email+Abuse


Enable SMTP Restrictions

When you enable WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions), spammers cannot directly interact with remote mail servers. This is a common tactic for spammers who try to work around mail security settings.
To enable this feature, perform the following steps:
Navigate to WHM's SMTP Restrictions interface (Home >> Security Center >> SMTP Restrictions).
Click Enable to restrict outgoing email connection attempts to the mail transfer agent (MTA), the mailman system user, and the root user.

This forces both scripts and users to use Exim's Sendmail binary, which helps prevent direct access to the socket.

Although on 11.48 this setting appears to be in Tweak Settings >> Mail.

 

[Infopro]

If you have: SMTP_BLOCK enabled in CSF, I believe you need to leave that one in:
Home » Security Center » SMTP Restrictions

Disabled.

 

[HappymanUK]

If you have: SMTP_BLOCK enabled in CSF, I believe you need to leave that one in:
Home » Security Center » SMTP Restrictions

Disabled.

Thanks for both replies.

Any other ideas ??

 

[Infopro]

That link above to the cPanel Documentation concerning email abuse has quite a few more ideas.

 

[Infopro]

Do you have CSF installer on your server?

 

[HappymanUK]

Do you have CSF installer on your server?

Yes, CSF is installed and the IP's are being blocked after two attempts, but there are just far too many different IP addresses attempting this

 

[Infopro]

I almost hate to say this as I don't want to make light of the issue you're facing, but, the system is doing what you want it to do. The attacks will pass and there will be more to follow, you can count on it. Keep the doors locked tight.

 

[HappymanUK]

Is there no way to stop them even trying to login ? - Somehow disable the facility for sending emails via the server from an external address ? - ie, so emails can go out from the server, and individuals can use their ISP's SMTP server for outgoing e-mail instead ?

 

[Infopro]

Is there no way to stop them even trying to login ?

I think that's my point. They are being stopped from logging in.

 

[HappymanUK]

I think that's my point. They are being stopped from logging in.

I understand - but if I can somehow disable the SMTP function for this, then they wouldn't even get the prompt - so can't even attempt to login..

 

[Infopro]

How will your valid users login to check their email?

 

[HappymanUK]

How will your valid users login to check their email?

I'm only talking about SMTP on port 25 for outgoing email from the server, not for users picking up their e-mail via POP3.

Thanks

 

[davorg]

I'm only talking about SMTP on port 25 for outgoing email from the server, not for users picking up their e-mail via POP3.

Thanks

They are trying to send you mail on SMTP port 25. They don't try to login to POP3/IMAP. This is nothing special. In last two days I have 1000 mails/hour from CSF. You can disable receiving this mails in conf file (for a few days).

-- Davor

 

[HappymanUK]

They are trying to send you mail on SMTP port 25. They don't try to login to POP3/IMAP. This is nothing special. In last two days I have 1000 mails/hour from CSF. You can disable receiving this mails in conf file (for a few days).

-- Davor

That's the thing - They are not trying to send mail to the server, but send e-mail via the server (ie, use the server for sending out spam e-mails).

 

[cPanelMichael]

Hello

Please ensure you also review this thread:

Port 25 Usage

Thank you.

 

[HappymanUK]

Hello

Please ensure you also review this thread:

Port 25 Usage

Thank you.

Thanks - I understand this. I wasn't referring to blocking port 25, but trying to block smtp auth requests.