Email Brute Force Attempts
Hello, i have read the related topics on this but it does not answer my specific question.
I do have CPHULK enabled and i also use CSF firewall. My question is how are these people actually doing this. Unless i understand how they actually do this literally on the screen using whatever software then i have no clue how to stop it. So what are they doing to attempt this exactly (if you know).
Here is an example:
Brute Force attempt against “example.example.com”.
A device at the “79.110.62.20” IP address has made a large number of invalid login attempts against the account “example.example.com”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.
Service: dovecot
Local IP Address: (my server ip)
Local Port: 110
Remote IP Address: 79.110.62.20
Remote Port: 52214
Authentication Database: mail
Username: example.example.com
Number of authentication failures: 14
Maximum number allowed: 5
Are they using something like an FTP or similar to attempt to gain access? Is there a dovecot utility software they use? How do they attempt this?
I would like to be able to block these without having to wait for CPHULK, also some of these emails dont exist.
I did make the attempt at one time to limit email access to only my dedicated IP from my local provider but that did not work, it ended up blocking server attempts to access email.
Thanks
-
If you have different users on the server connecting from various locations to check their emails there is little you can do as you would cut their access as well. As per the error log they are simply trying to bruteforce email passwords. They could use any of the well known email softwares with a custom made script which connects to random email addresses fetched from a list and trying out different passwords. The only thing you could do is to stricten the rules in CPHulk and CSF hence they will be blocked faster.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services1 -
Thanks Andrew, just fyi I am the only user on the server and that will not change. Does that change what i can do for security?
0 -
Most of the time these tools are just automated bots looking for common email addresses. Things like admin@domain.com or postmaster@domain.com, and they just cycle through their list to see if they can make connections.
In your case, you could always make the Brute Force settings more strict by changing the failure threshold from 5 to something like 3 or 2, as the tool is working properly and blocking the account.
1 -
Thanks cPRex, yeah i figured CPHULK was doing its job, no problem there. I will adjust it a bit, i appreciate the reply.
I wonder if the bots are using the PHP mail utility or maybe cURL. I suppose they could probably use just about any server language to do this. The reason i say this is if they are trying to log in on the webmail page (port 2096), this is one reason i wanted to block that page via cpanel from access (remember that post i made along time ago). At least if i could block that page (port 2096) from access i would know there was no way the bots were using that to try to access the email.
I believe i did a feature request to add the option to disable that page (port 2096) but ill have to find it as i dont remember. :) Either that or the ability to change the port to a custom port number.
0 -
Could you setup Host Access Control to only allow your IP address for Webmail (2096) connections?
https://docs.cpanel.net/whm/security-center/host-access-control/
1 -
Yep cPRex allready set up. 2096 ACCEPT my IP, and 2096 ALL REJECT in that order. So its probably not what they are using.
Now i did notice they are all TCP but im pretty sure (ill check) that i have UDP blocked in CSF.
Correction: UDP ports 20 for ftp and 53 for DNS are allowed but i have ftp feature disabled so that wont matter and 53 is required by cPanel. So that looks ok.
Its too bad that the logs or CPHULK does not let us know more access info but that would not only make the log records huge but also slow down the server and introduce privacy issues. Too bad there are not exceptions to privacy policies that would allow cpanel to grab the hunk of code that tried to access when the limit is reached before the ip is blocked but that might introduce executable code that we dont want.
I know there is no perfect solution, everything seems to be working on cpanel server just as its designed. I just get to where i want to crack them up side the head for what they try to do lol
0 -
@durangod
in your 1st post:
> Local Port: 110
That's POP3 port, and if the port is open you will see that in the logs.
It's normal, and if all email accounts have strong passwords they are not getting anywhere.1 -
Thanks appreciate that :)
0
Please sign in to leave a comment.
Comments
8 comments