Control Web Panel
Security => CSF Firewall => Topic started by: cloud on May 16, 2021, 12:08:39 PM
-
From the past 4-5 days my server was targeted by hacker, with in one to three second difference my LFD is alerting us message like below. In a day we are getting more than 500 pop3 login failed attempt from different IP address and different country.
So we stopped the Dovecot IMAP/POP3 Server service for a day but it will not given any resolution when ever we turn on the service attempt start again.
Any one have any solution to protect the server ?
Log entries:
May 16 17:15:59 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.com>, method=PLAIN, rip=5.95.195.241, lip= ip removed, session=<Y6QyBXHCFcEFX8Px>
May 16 17:15:37 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.in>, method=PLAIN, rip=83.110.207.34, lip=ip removed, session=<4f/kA3HCd+BTbs8i>
May 16 17:15:07 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.com>, method=PLAIN, rip=157.32.0.107, lip=ip removed, session=<JMMXAnHCo9+dIABr>
etc.... see the screen shot for more logs
(https://i.ibb.co/2v8fndc/Screenshot-1.png)
(https://i.ibb.co/F5dbqwd/Screenshot-2.png)
-
i am having the same issues, i hope we find solution soon
-
Go into your CSF Main Config file: /etc/csf/csf.conf
You can access this also under Firewall Manager -> Configuration -> Main Configuration
1. Search for tcp_in
2. Remove the SSH Port 22 and the customer one if you have setup (You need to have your IP address in the Whitelist so you still can connect via SSH)
3. Search for cc_deny
4. By default no Country Codes are blocked, so you will only see - CC_DENY = ""
5. Enter the 2 Digit Country Codes you want to block between the quotation marks from CSF.
6. Click on "Save Changes"
7. Back under Firewall Manager, select Restart -> Force restart all
Now CSF will block and drop any access coming from those countries.
The other way would be to goto arin.net, lookup the upstream IP block, and block that.
But that only works if the attackers are coming rom 1 specific IP group.
# 1 & 2 should always be done, unless you allow user shell access for some reason.
-
We asked CWP support they don't have any resolution for this issue. Even they are promoting for paid support.
We can take paid support from them as the CWP UPDATE LOG and all other things are perfect, but even using this
CWP panel for more than two year did seen any profession with CWP. Current situation is very dangerous but looking
for an solution for this hacking attempt but they are not thinking or considering it.
Yesterday I installed and activated KernelCare by cloudlinux.com but it was also not resolving our issue, finally closed
the pop3d port even stopping the Dovecot IMAP/POP3 Server we though this is good so the users will not face any mail issue
but they are not able to use any desktop email client. After that also getting another type of attack log added below
========== LOG ===============
Firewall message :
172.65.32.248 (US/United States/-) blocked with too many connections
Connections Log:
My server IP and the port they are trying
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55368 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55336 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55362 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55330 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55350 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55352 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55334 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55346 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55354 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55370 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55372 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55412 (ESTABLISHED)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55374 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55398 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55358 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55356 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55338 (TIME_WAIT)
-
We asked CWP support they don't have any resolution for this issue. Even they are promoting for paid support.
We can take paid support from them as the CWP UPDATE LOG and all other things are perfect, but even using this
CWP panel for more than two year did seen any profession with CWP. Current situation is very dangerous but looking
for an solution for this hacking attempt but they are not thinking or considering it.
Yesterday I installed and activated KernelCare by cloudlinux.com but it was also not resolving our issue, finally closed
the pop3d port even stopping the Dovecot IMAP/POP3 Server we though this is good so the users will not face any mail issue
but they are not able to use any desktop email client. After that also getting another type of attack log added below
========== LOG ===============
Firewall message :
172.65.32.248 (US/United States/-) blocked with too many connections
Connections Log:
My server IP and the port they are trying
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55368 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55336 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55362 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55330 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55350 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55352 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55334 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55346 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55354 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55370 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55372 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55412 (ESTABLISHED)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55374 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55398 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55358 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55356 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55338 (TIME_WAIT)
CSF Should be blocking that IP 172.65.32.248. Check it to make sure you see that entry.
If not create a blacklisted entry for 172.65.32.248 or 172.65.32.0/24