distributed smtpauth attack

ccccanada

• February 11, 2014 15:40

Hello For the past week one of my servers has been suffering from distributed smtpauth attacks at an incredible rate. I have CSF blocking the attacks but since its been going on for a week solid i was hoping someone here would have a way of helpimg me stop or at least limit these attacks. I have increased the banned IP's in CSF from 100 to 200 and it seemed to have stopped the attacks for almost a day although server load was higher than usual. Now the attacks are back at a rate never seen before and IP's are getting unblocked just as fast as they get blocked so anyone attacking with 200 ips or more can just rotate the attacks through. When i increase the banned IPs to 400 server load just gets too high it seems. Does anyone have any ideas? I have pasted one of the emails CSF sends when blocking below in the hopes someone may see a simple solution looking at this. Thank you! Harold Time: Tue Feb 11 16:31:53 2014 -0500 IP: distributed smtpauth attack on account [admin@domain.org] Failures: 5 Interval: 300 seconds Blocked: Permanent Block Log entries: 2014-02-11 16:27:22 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data (set_id=admin@domain.org) 2014-02-11 16:27:06 courier_plain authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data (set_id=admin@domain.org) 2014-02-11 16:27:07 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3518: 535 Incorrect authentication data (set_id=admin@domain.org) 2014-02-11 16:31:48 courier_plain authenticator failed for (WIN712340928SRZ) [178.16.3.131]:58024: 535 Incorrect authentication data (set_id=admin@domain.org) 2014-02-11 16:27:22 courier_login authenticator failed for pc-131-76-101-190.cm.domain.net (Contabilidad) [190.101.76.131]:3672: 535 Incorrect authentication data (set_id=admin@domain.org) IP Addresses Blocked: 190.101.76.131 (CL/Chile/pc-131-76-101-190.cm.vtr.net) 178.16.3.131 (IM/Isle of Man/adsl178.16.3.131.manx.net)

• 

  vanessa

  • February 11, 2014 21:20

  This issue has been discussed numerous times on these forums. You may want to refer to the solutions discussed here:

  1
• 

  cPanelMichael

  • February 12, 2014 13:13

  Hello :) Yes, you can find discussion of this issue on the thread referenced in the previous post. In addition, if the attack is consistent you may need to consult with your data center or hosting provider about implementing additional firewall solutions outside of the server. Thank you.

  0

Please sign in to leave a comment.