Brute force against dovecot
Hello all,
In the past days one of my servers has been targeted to a bruteforce attacks against dovecot and the load of my sever rise too much for 1-2 minutes, then it comes down and back to normal for a lot of hours after another attack comes again, I have been monitoring my server in realtime with top and htop in this days and what i find is that when the server load start to rise a lot of this two processes comes to screen:
/usr/local/cpanel/bin/dovecot-wrap /usr/libexec/dovecot/checkpassword-reply
cphulkd - processor
I have cphulk enabled and csf firewall enabled with ct_limits and lf_imapd, lf_cpanel, lf_pop3d, lf_ftpd, lf_smtpauth and lf_eximsyntax enabled but csf does not block any ip when this happen,
Is there anyway to mitigate this kind of attacks?
THanks a lot
-
Hi, the DDOS attack are a pain, I will suggest you to use Cloudflare and then change your server Ip address to prevent your server from getting attacked. 0 -
I use cloudflare but not in all sites (is choice of the final user), is not easy change the server IP, i had all my ip's clean and for years, a ip change should be bad for my clients specially those that use the mail server (too much users). 0 -
changing your server ip will have no effect brute force is on the respective domains csf should be blocking these attacks using below LF_SMTPAUTH LF_DISTATTACK LF_DISTSMTP LF_DISTSMTP_UNIQ LF_DISTSMTP_PERM 0 -
Thanks a lot dalem, those options were off, i already configure them i hope this help on this problem. Also i found on apache logs, a lot of this entries of ip's trying to get some default files/folders (that obviously does not exists on server): one.domain.on.server GET /filezilla-recupero-password/FileZilla.xml one.domain.on.server GET /cmw/FileZilla.xml HTTP/1.1 other.domain.on.server GET /eagle/FileZilla.xml HTTP/1.1 another.domain.on.server GET /FileZilla/filezilla.xml HTTP/1.1 other.domain.on.server GET /download/FileZilla.xml HTTP/1.1 one.domain.on.server GET /~visionpl/typo/FileZilla.xml HTTP/1.1 other.domain.on.server GET /dropbox/Apps/softwarecookerbd/FileZilla.xml HTTP/1.1 domainonserver GET /ViK_baza/arhiv/FileZilla.xml HTTP/1.1 server.IP1 GET //phpmyadmin1/scripts/setup.php HTTP/1.1 server.IP2 GET //phpmyadmin1/scripts/setup.php HTTP/1.1 server.IP2 GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1 server.hostname GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1 server.hostname GET //mysql/scripts/setup.php HTTP/1.1 server.IP2 GET //mysql/scripts/setup.php HTTP/1.1 server.IP3 GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1 server.hostname GET //mysql/scripts/setup.php HTTP/1.1 server.hostname GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1 server.hostname GET //php-my-admin/scripts/setup.php HTTP/1.1 server.IP1 GET //mysql/scripts/setup.php HTTP/1.1 server.IP2 GET //php-my-admin/scripts/setup.php HTTP/1.1 server.IP3 GET //php-my-admin/scripts/setup.php HTTP/1.1 server.hostname GET //php-my-admin/scripts/setup.php HTTP/1.1 server.IP3 GET //mysql/scripts/setup.php HTTP/1.1 server.IP1 GET //php-my-admin/scripts/setup.php HTTP/1.1 All those entries come from same ip when logged (different ip's on diferent days), how can i mitigate with this? 0 -
Basically they are being blocked with a 404 they are just probing your server for vulnerable scripts some of the above you could block with mod security 0 -
Hello dalem, unfortunately the LF_SMTPAUTH, LF_DISTATTACK, LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM options didnt help on the problem, the attacks still with the high load peaks, csf is unable to block those attacks, do you have any suggestion? My CSF settings are following: LF_SMTPAUTH=5 LF_DISTATTACKT=1 LF_DISTSMTP=5 LF_DISTSMTP_UNIQ=3 LF_DISTSMTP_PERM=1 RESTRICT_SYSLOG=0 LF_SMTPAUTH=5 LF_SMTPAUTH_PERM=1 LF_IMAPD=10 LF_IMAPD_PERM=1 LF_POP3D=10 LF_POP3D_PERM=1 I have Alerts enabled on those options expecting to receive alerts of ip's being blocked when a attack comes but no alerts of blocked ip's come and no ip's are being blocked, the only ip's that are being blocked are on LF_SMTPAUTH, LF_IMAPD and LF_POP3D but there are not being blocked when a attacks come, only on normal circumstances. Thanks 0 -
if you can use the country level blocks to ease the pain some of our servers are getting hammered has well with these attacks well for about the past 2 weeks But I would assume they must be more powerful as we are absorbing them. 0 -
Hello dalem, unfortunately the LF_SMTPAUTH, LF_DISTATTACK, LF_DISTSMTP, LF_DISTSMTP_UNIQ and LF_DISTSMTP_PERM options didnt help on the problem, the attacks still with the high load peaks, csf is unable to block those attacks, do you have any suggestion? My CSF settings are following: LF_SMTPAUTH=5 LF_DISTATTACKT=1 LF_DISTSMTP=5 LF_DISTSMTP_UNIQ=3 LF_DISTSMTP_PERM=1 RESTRICT_SYSLOG=0 LF_SMTPAUTH=5 LF_SMTPAUTH_PERM=1 LF_IMAPD=10 LF_IMAPD_PERM=1 LF_POP3D=10 LF_POP3D_PERM=1 I have Alerts enabled on those options expecting to receive alerts of ip's being blocked when a attack comes but no alerts of blocked ip's come and no ip's are being blocked, the only ip's that are being blocked are on LF_SMTPAUTH, LF_IMAPD and LF_POP3D but there are not being blocked when a attacks come, only on normal circumstances. Thanks
i also new in this. can i use the above setting with one different RESTRICT_SYSLOG=30 -
Lets see how it works with RESTRICT_SYSLOG=3, Also im getting a lot bruteforce attacks on CMS's sites like joomla and wordpress for at least the past 2 weeks too 0 -
Hello :) You may need to consult with a qualified system administrator or your data center for assistance with mitigating the attacks if the basic CSF firewall rules and options are not helping. CSF is helpful, but it won't always prevent any and all attacks. Manual intervention or custom rules are sometimes required. Thank you. 0
Please sign in to leave a comment.
Comments
10 comments