Skip to main content

My server got attacked on the "smtp", is it dangerous?

calvinphanctt
Hi everyone, Recently, my server got attacked on the "smtp", he tried to use different IPs from different countries. What is the purpose? What can he do with that attack on my server ? Here is an example of notifications which I received from my server:
IP reached maximum auth failures Number of authentication failures: 3 Maximum allowed authentication failures: 3 Last authentication request =========================== Service: smtp Local IP Address: 146.xxx.xxx.xxx Remote IP Address: 180.210.151.130 Authentication Database: system Username: liemlam Origin Country: Bangladesh (BD) Please use the following links to add to the black list: Single IP: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.130 /24: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.151.0/24 /16: https://server1.myserver.com:2087/scripts7/cphulk/blacklist?ip=180.210.0.0/16 Please use the following links to add to the white list: Single IP: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.130 /24: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.151.0/24 /16: https://server1.myserver.com:2087/scripts7/cphulk/whitelist?ip=180.210.0.0/16 OR ========================= IP reached maximum auth failures Number of authentication failures: 3 Maximum allowed authentication failures: 3 Last authentication request =========================== Service: smtp Local IP Address: 146.xxx.xxx.xxx Remote IP Address: 188.253.19.20 Authentication Database: mail Username: liemlam@myserver.com Origin Country: Iran, Islamic Republic of (IR) Please use the following links to add to the black list: IP reached maximum auth failures Number of authentication failures: 3 Maximum allowed authentication failures: 3 OR=============== Last authentication request =========================== Service: smtp Local IP Address: 146.xxx.xxx.xxx Remote IP Address: 2.135.128.12 Authentication Database: mail Username: liemlam@myserver.com Reverse DNS: 2.135.128.12.megaline.telecom.kz Origin Country: Kazakhstan (KZ) Please use the following links to add to the black list:
Thank you for your help ! Sincerely, Calvin

Comments

10 comments

Date Votes
  • LostNerd
    Hi Calvin, Usually, I believe this to be spammers attempting to gain unauthorized access to your SMTP server by guessing different aliases on the domain that they are trying to log in with to begin using it as a relay for their bad deeds! I get these often (but not too often to worry!). It happens. It's not too bad as cPHulk has obviously detected and blocked the IP's however, I suggest you also use CSF (If you're not already). It's a great tool that will perm block these IP's after too many failed attempts.
    0
  • swatkatsdevilz
    every week I get 2k emails like these, Now i am used to seeing these in my account. if you get few ip, then blacklist them to make sure that those Ip will never login into your system again but these guys always attack from other ip address. there's no solution to this and nothing to be worried about. you are safe unless you have kept a lame username and password, if this is the case, then change it immediately
    0
  • cPanelMichael
    Hello, Yes, as mentioned, there's nothing you can really do to prevent someone from attempting to brute force a username/password, but utilizing cPHulk and installing a firewall such as CSF is often a good way to ensure the IP addresses are detected and blocked. Thank you.
    0
  • calvinphanctt
    Thank you very much everyone! This guy keep sending the failed username & password using "smtp" to my server every 3-4 minutes for couple days recently. Now, I set my Cphulk for max failed auth = 1 Could you tell me if the Cphulk automatic block that IP address if it failed ? or I have to manually click the link which the WHM send me such as below to block that IP? I do have CSF running, is both Cphulk & CSF working at the same time ? Thank you for your help ! Please use the following links to add to the black list: - Removed - Please use the following links to add to the white list: - Removed -
    0
  • LostNerd
    Hi Calvin, Having your max failed set to 1 can be dangerous. It'll only take you one wrong password attempt yourself to get blocked. I recommend at least 3 usually. cPHulk works in the background and will do automatic blocks for you. If you edit the config in WHM, all the features available to you are there including automatic perm-blocking.
    0
  • cPanelMichael
    Could you tell me if the Cphulk automatic block that IP address if it failed

    Hello, You must enable "Block IP addresses at the firewall level if they trigger brute force protection" in "WHM >> cPHulk Brute Force Detection" if you want IP addresses blocked automatically. Thank you.
    0
  • swatkatsdevilz
    I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.
    0
  • cPanelMichael
    I have made block for 36000 minutes instead of usual 360 minutes, and daily I spend 2-3 hours on blacklisting all the Ip address.

    Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue? Thank you.
    0
  • swatkatsdevilz
    Could you elaborate on this statement? Is this a suggestion to the original poster, or are you asking for help with an issue? Thank you.

    I am giving suggestion.
    0
  • keat63
    As mentioed earlier CSF will do this work for you as and when it happens automatically.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post