Question about SMTP brute force
Hi,
Yesterday, my cPanel was successfully brute forced by hackers. The authentication method was SMTP, and they sent over 500 spam emails using my address. I increased my password strength, and made my server security a little more picky (especially on cPHulk). This morning, there were another 15 attempts from 15 different IPs. cPHulk stopped all of the attempts, and as of now my account is still secured. All I'm wondering is, is there anything I can change to further improve my security? Is there some insecure login method I have enabled that I don't know about that's an easy backdoor for hackers?
Thanks,
Christian
-
you need check this thread for more security help cPHulk Brute Force Protection - Documentation - cPanel Documentation 0 -
If you don't have ConfigServer firewall installed, you should. 0 -
If you don't have ConfigServer firewall installed, you should.
Hi, I tried to install ConfigServer Firewall several times and it made my VPS dysfunctional. Not even I could connect to it. I had to carefully disable it by using the one way I could get in.0 -
The default installation is set to test mode to prevent an issue. It's the very first setting: Testing flag - enables a CRON job that clears iptables incase of configuration problems when you start csf. This should be enabled until you are sure that the firewall works - i.e. incase you get locked out of your server! Then do remember to set it to 0 and restart csf when you're sure everything is OK. Stopping csf will remove the line from /etc/crontab lfd will not start while this is enabled
The first thing you need to do after you install it, and before disabling test mode is, add your IP address to the csf.ignore file. You'll find an option/menu to do that on the CSF main page, under this section: lfd - Login Failure Daemon Your IP should already be in the cPHulk whitelist too, of course.0 -
The default installation is set to test mode to prevent an issue. It's the very first setting: The first thing you need to do after you install it, and before disabling test mode is, add your IP address to the csf.ignore file. You'll find an option/menu to do that on the CSF main page, under this section: lfd - Login Failure Daemon Your IP should already be in the cPHulk whitelist too, of course.
But what good is white listing my IP if other people won't be able to access it either.. Sorry I'm a noob about firewalls and stuff..0 -
Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on. A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things. It will also make your server far more secure than you are right now. 0 -
Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on. A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things. It will also make your server far more secure than you are right now.
Alright, well, I'll try to install and configure again when I can..0 -
Please forgive my bluntness here but, it's time to learn how to love your firewall now. Drop everything else you're working on. A normal user shouldn't get blocked. If they do, they've done something that will be logged and you can review the how and why in that log. CSF will also send you email alerts about many things. It will also make your server far more secure than you are right now.
I installed ConfigServer and white listed my IP. I also read that you need to whitelist 0.0.0.0/0 for it to work. I did that and it seems to be working for me.. I hope it works for everyone else too.0 -
Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers. Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings. You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high. Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first. And there's more reading here too: 0 -
Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers. Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings. You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high. Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first. And there's more reading here too:
0 -
Where did you read that? No, don't tell me, just stop reading there. I don't have that in my config on any servers. Once you're sure your own IP is whitelisted in cPHulk and bypassed in CSF config, next, you want to tweak the CSF settings. You'll find a "Profiles" option on the main page with some reconfigured options you can choose from. You can also create a backup there too. Each one is explained a bit, I suggest you choose protection_high. Next you'll want to go thru every single setting in the main config file and read them all closely. They'll make more sense to you than you might think at first. And there's more reading here too:
0 -
No. Are you using an off server email address for your server emails? CSF should have fired off an email about getting blocked. Whats that email say? Your IP is set, you shouldn't be getting blocked. Anything special about this server setup? 0 -
No. Are you using an off server email address for your server emails? CSF should have fired off an email about getting blocked. Whats that email say? Your IP is set, you shouldn't be getting blocked. Anything special about this server setup?
No email, simply doesn't work. The email is hosted off server by gmail. There isn't anything out of the ordinary about my VPS setup.0 -
Are you still blocked or did you get back in using some other IP address? 0 -
Are you still blocked or did you get back in using some other IP address?
I created an emergency shell access session in SolusVM and was able to get into PuTTY and disable CSF. So yes, I am back in. CSF is currently disabled.0 -
Go to: WHM "Email "Mail Delivery Reports And search for any emails to you from "[EMAIL='root@you.server.com">root@your.server.com[/EMAIL]", just when you got blocked. When you find any, check to see if they were delivered or not. 0 -
Go to: WHM "Email "Mail Delivery Reports And search for any emails to you from "[EMAIL='root@you.server.com">root@your.server.com[/EMAIL]", just when you got blocked. When you find any, check to see if they were delivered or not.
Nothing at all.. just 2 successfully delivered ones from this morning (they told me something about a certain user using too much RAM).0 -
Thats odd. Who's your VPS provider if I may ask? Is this an older server? On CSF main page, there's an option near bottom to "Test iptables" Can you set test mode to on (so you dont get blocked), enable CSF and run that test to see if it complains about anything? The output should be something like this: Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server ...Done. You should restart csf after having run this test.0 -
Thats odd. Who's your VPS provider if I may ask? Is this an older server? On CSF main page, there's an option near bottom to "Test iptables" Can you set test mode to on (so you dont get blocked), enable CSF and run that test to see if it complains about anything? The output should be something like this:
Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server ...Done. You should restart csf after having run this test.
I get my server at a really good price from SimplexServers (they resell from OVH.com). It's maybe a year old. Test output shows a few issues..Testing iptables... Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...FAILED [Error: iptables: No chain/target/match by that name.] - Required for CONNLIMIT feature Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for MESSENGER feature Testing iptable_nat/ipt_DNAT...FAILED [Error: FATAL: Module ip_tables not found.] - Required for csf.redirect feature RESULT: csf will function on this server but some features will not work due to some missing iptables modules [3] ...Done. You should restart csf after having run this test.0 -
You might want to speak with your Hosting Provider about this and explain that you're trying to install CSF. I'd be interested to hear the reply from them. 0 -
You might want to speak with your Hosting Provider about this and explain that you're trying to install CSF. I'd be interested to hear the reply from them.
Alright. Will give it a shot. It's technically not "managed," so they may not be any help. I'll see what they say.0 -
Here is what my host said: "Christian, Sorry, but neither one of us have any experience with CSF. If you're not able to connect to the server you can connect via a KVM console through the host machine. SolusVM sets this up for you and provides you with all the connection details you need by hitting the "Serial Console" button. (This is the method I used to get back into my server). Sorry we're not able to provide much help with this topic :/" I also noticed now that any sites on my server not using CloudFlare are no longer working and present a DNS error.. Man.. My server is just falling apart :( 0 -
You disabled CSF yesterday I thought. I'm not sure how it could be affecting any websites. 0 -
You disabled CSF yesterday I thought. I'm not sure how it could be affecting any websites.
Yes, I know. That fixed the sites on CloudFlare. I have also have DNS issues with sites not on CloudFlare (unrelated to CSF - this has been going on for months now. My sites not on CloudFlare maybe have a 50% uptime..)0 -
Yes, I know. That fixed the sites on CloudFlare. I have also have DNS issues with sites not on CloudFlare (unrelated to CSF - this has been going on for months now. My sites not on CloudFlare maybe have a 50% uptime..)
I love the guys who run my host - they are friends of mine and really great guys. However, I don't pay for (and they don't offer) managed hosting. So all of these issues I have are up to me to fix, and I'm definitely not the smartest guy in town when it comes to server administration. I've looked into - Removed - but I really can't afford to pay over what I'm paying now ($35 total with server + cPanel license).0 -
Well, it sounds like you've got a few different things going on, considering this thread was started over a comprised email account. You're no worse off with CSF disabled than you were at the start. I can't explain why enabling it blocks you from accessing the server, but we can come back to that. If you've got CloudFlare issues, they've got great support, I use CloudFlare myself. As for your ongoing DNS issues, why not fire up a new thread here on these forums and get those resolved? 0 -
Well, it sounds like you've got a few different things going on, considering this thread was started over a comprised email account. You're no worse off with CSF disabled than you were at the start. I can't explain why enabling it blocks you from accessing the server, but we can come back to that. If you've got CloudFlare issues, they've got great support, I use CloudFlare myself. As for your ongoing DNS issues, why not fire up a new thread here on these forums and get those resolved?
Definitely gonna do that. Thanks for all of your help!!0 -
I've been no help at all so far. But, here's to hoping that'll change some time soon. ;) 0
Please sign in to leave a comment.
Comments
29 comments