Disable Account Listing

pasayev

September 12, 2014 09:07

Hello, I have dedicated server with cpanel and whm installed. I also installed csf firewall. Daily I get many attacks from different countries. But I see that they know all my account names and email addresses which are opened under same account. My question is that how they detect all my accounts under WHM and how they detect account email addresses? Thanks for all.

Comments

11 comments

cPanelMichael

September 12, 2014 16:20
Hello :) Could you elaborate on the type of attack that's happening? For instance, what are you seeing that shows you information about your accounts is known? Thank you.
0
pasayev

September 12, 2014 20:49
Hello, Sure. Everytime I see domain name and account of it which is created under my whm. And I also see an email address which is created in this account. They try to send email but fail. I give two of them below: Time: Thu Sep 11 21:48:59 2014 +0300 IP: 185.3.132.128 (SE/Sweden/-) Failures: 5 (smtpauth) Interval: 3600 seconds Blocked: Permanent Block Log entries: 2014-09-11 21:48:08 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:1344: 535 Incorrect authentication data (set_id=bakirlar) 2014-09-11 21:48:15 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:1082: 535 Incorrect authentication data (set_id=bakirlar) 2014-09-11 21:48:27 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3706: 535 Incorrect authentication data (set_id=bakirlar) 2014-09-11 21:48:45 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3958: 535 Incorrect authentication data 2014-09-11 21:48:56 dovecot_login authenticator failed for (ylmf-pc) [185.3.132.128]:3709: 535 Incorrect authentication data
bakirlar is under my whm and account is bakirlar. How did he/she detect it? Time: Fri Sep 12 01:38:20 2014 +0300 IP: 77.66.134.82 (RU/Russian Federation/-) Failures: 5 (smtpauth) Interval: 3600 seconds Blocked: Permanent Block Log entries: 2014-09-12 01:37:32 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:2872: 535 Incorrect authentication data (set_id=posta@tedkayseri) 2014-09-12 01:37:39 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:2947: 535 Incorrect authentication data (set_id=posta@tedkayseri) 2014-09-12 01:37:49 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3135: 535 Incorrect authentication data (set_id=posta@tedkayseri) 2014-09-12 01:38:06 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3382: 535 Incorrect authentication data 2014-09-12 01:38:17 dovecot_login authenticator failed for (ylmf-pc) [77.66.134.82]:3627: 535 Incorrect authentication data
tedkayseri. is under my whm. How did he/she detect posta@tedkayseri. is under its account?
0
triantech

September 13, 2014 08:08
Hello, These are online sites right, the ones that goes live. There are lots of hackers/spammers which use botnets prying on the contents which goes live and they are the ones that launch the attack on you and on the email address which are originating from them. Now looking at your logs, i'm seeing the common name - ylmf-pc. There are many incoming SMTP connections from different IP addresses with the same machine name " "ylmf-pc", im seeing this happen many times. One possibility is it could be different machines which are infected with some malware and this malware is utilizing the machine to perform brute force password attack to gain authorization. One solution is to drop the SMTP connection at HELO so that no further processing is performed : # vi /etc/exim.conf acl_smtp_helo = acl_smtp_helo acl_smtp_helo: #BEGIN ACL_SMTP_HELO_BLOCK drop condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}} log_message = HELO/EHLO - ylmf-pc blocking against brute-force message = Blocked at HELO accept #END ACL_SMTP_HELO_BLOCK
Restart exim once this has been done. # service exim restart
0
kpmedia

February 22, 2015 12:20
[quote="triantech, post: 1729231"># vi /etc/exim.conf Restart exim once this has been done.
The problem with this is that cPanel will overwrite the change when updated. It has to be added in WHM. I'm also trying to figure out where it goes. cPanel has lots of hackish fixes, where the new code is added in other files (or the WHM GUI), but it's never the same method per service. Documentation is often sketchy.
0
dalem

February 23, 2015 01:38
add [QUOTE] if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot_login authenticator failed for $ylmf-pc$ \[(\S+)\]/)) { return ("smtp_auth attack",$1,"SecmasYLMF","1","1"); }
to your regex.custom.pm in csf
0
kpmedia

February 23, 2015 10:48
No. The idea is to prevent initial access altogether. That means an exim change. That CSF regex from sergio is NOT 100% effective. Although the regex is correct, CSF seems to use malformed regex. You need more rules for 100% effectiveness.
0
cPanelMichael

February 24, 2015 13:16
You should be able to use the "Advanced Editor" in "WHM Home " Service Configuration " Exim Configuration Manager" to ensure the changes are preserved. The following block is found in the advanced editor: [QUOTE]acl_smtp_helo: custom_begin_smtp_helo custom_end_smtp_helo
Thank you.
0
steventay

June 06, 2015 14:10
You should be able to use the "Advanced Editor" in "WHM Home " Service Configuration " Exim Configuration Manager" to ensure the changes are preserved. The following block is found in the advanced editor: Thank you.

Hi Michael, i am new in this.. i just start using cpanel whm. what should i do to block ylmf-pc? under the advanced editor as below... what should i enter? acl_smtp_helo: custom_begin_smtp_helo custom_end_smtp_helo
0
cPanelMichael

June 08, 2015 15:14
under the advanced editor as below... what should i enter?

Hello, Browse to the "Advanced Editor" and search for "custom_begin_smtp_helo". Enter the custom code referenced in the previous post and scroll down to select "Save". Note this is a user-submitted solution so it's not supported by cPanel. Thank you.
0
albatroz

October 26, 2016 12:24
I found this article redy.host/knowledgebase/how-block-ylmf-pc-connections-cpanel-exim however I am still having the same issue after applying its suggestions to my current CPanel server, as you can see in the attached picture.
0
cPanelMichael

November 01, 2016 21:21
You may want to reach out to a qualified system administrator for help developing custom rules to block the attack if the issue persists and the existing suggestions are unhelpful. You can find a list of system admin services at: System Administration Services | cPanel Forums Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?