Skip to main content

Email Brute Force Attempts

Comments

8 comments

  • Andrew

    If you have different users on the server connecting from various locations to check their emails there is little you can do as you would cut their access as well. As per the error log they are simply trying to bruteforce email passwords. They could use any of the well known email softwares with a custom made script which connects to random email addresses fetched from a list and trying out different passwords. The only thing you could do is to stricten the rules in CPHulk and CSF hence they will be blocked faster.

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!* Open a ticket
    EmergencySupport - Professional Server Management and One-time Services

    1
  • durangod

    Thanks Andrew, just fyi I am the only user on the server and that will not change. Does that change what i can do for security?

    0
  • cPRex Jurassic Moderator

    Most of the time these tools are just automated bots looking for common email addresses.  Things like admin@domain.com or postmaster@domain.com, and they just cycle through their list to see if they can make connections.

    In your case, you could always make the Brute Force settings more strict by changing the failure threshold from 5 to something like 3 or 2, as the tool is working properly and blocking the account.

    1
  • durangod

    Thanks cPRex, yeah i figured CPHULK was doing its job, no problem there.  I will adjust it a bit, i appreciate the reply.   

    I wonder if the bots are using the PHP mail utility or maybe cURL. I suppose they could probably use just about any server language to do this.   The reason i say this is if they are trying to log in on the webmail page (port 2096), this is one reason i wanted to block that page via cpanel from access (remember that post i made along time ago).  At least if i could block that page (port 2096) from access i would know there was no way the bots were using that to try to access the email. 

    I believe i did a feature request to add the option to disable that page (port 2096) but ill have to find it as i dont remember.    :)    Either that or the ability to change the port to a custom port number. 

    0
  • cPRex Jurassic Moderator

    Could you setup Host Access Control to only allow your IP address for Webmail (2096) connections?

    https://docs.cpanel.net/whm/security-center/host-access-control/

    1
  • durangod

    Yep cPRex allready set up.   2096 ACCEPT my IP, and 2096 ALL REJECT in that order. So its probably not what they are using. 

    Now i did notice they are all TCP but im pretty sure (ill check) that i have UDP blocked in CSF.

    Correction:  UDP ports 20 for ftp and 53 for DNS are allowed but i have ftp feature disabled so that wont matter and 53 is required by cPanel.  So that looks ok. 

    Its too bad that the logs or CPHULK does not let us know more access info but that would not only make the log records huge but also slow down the server and introduce privacy issues.  Too bad there are not exceptions to privacy policies that would allow cpanel to grab the hunk of code that tried to access when the limit is reached before the ip is blocked but that might introduce executable code that we dont want.   

    I know there is no perfect solution, everything seems to be working on cpanel server just as its designed.  I just get to where i want to crack them up side the head for what they try to do lol  

    0
  • quietFinn

    @durangod
    in your 1st post:
    > Local Port:    110
    That's POP3 port, and if the port is open you will see that in the logs.
    It's normal, and if all email accounts have strong passwords they are not getting anywhere.

     

     

    1
  • durangod

    quietFinn

    Thanks appreciate that :)

    0

Please sign in to leave a comment.