Author Topic: Targeted attack on pop3d, SSH, IMAP, PORTS more than 500 IP are blocking a day  (Read 4862 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
From the past 4-5 days my server was targeted by hacker, with in one to three second difference my LFD is alerting us message like below. In a day we are getting more than 500 pop3 login failed attempt  from different IP address and different country.

So we stopped the Dovecot IMAP/POP3 Server service for a day but it will not given any resolution when ever we turn on the service attempt start again.

Any one have any solution to protect the server ?

Log entries:

May 16 17:15:59 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.com>, method=PLAIN, rip=5.95.195.241, lip= ip removed, session=<Y6QyBXHCFcEFX8Px>

May 16 17:15:37 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.in>, method=PLAIN, rip=83.110.207.34, lip=ip removed, session=<4f/kA3HCd+BTbs8i>

May 16 17:15:07 pop3-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@hosteddomain.com>, method=PLAIN, rip=157.32.0.107, lip=ip removed, session=<JMMXAnHCo9+dIABr>

etc.... see the screen shot for more logs




Offline
*
i am having the same issues, i hope we find solution soon
Free feel to reach me

Offline
****
Go into your CSF Main Config file: /etc/csf/csf.conf

You can access this also under Firewall Manager -> Configuration -> Main Configuration

1. Search for tcp_in
2. Remove the SSH Port 22 and the customer one if you have setup (You need to have your IP address in the Whitelist so you still can connect via SSH)
3. Search for cc_deny
4. By default no Country Codes are blocked, so you will only see - CC_DENY = ""
5. Enter the 2 Digit Country Codes you want to block between the quotation marks from CSF.
6. Click on "Save Changes"
7. Back under Firewall Manager, select Restart -> Force restart all

Now CSF will block and drop any access coming from those countries.

The other way would be to goto arin.net, lookup the upstream IP block, and block that.
But that only works if the attackers are coming rom 1 specific IP group.

# 1 & 2 should always be done, unless you allow user shell access for some reason.


Offline
*
We asked CWP support they don't have any resolution for this issue. Even they are promoting for paid support.
We can take paid support from them as the CWP UPDATE LOG and all other things are perfect, but even using this
CWP panel  for more than two year did seen any profession with CWP. Current situation is very dangerous but looking
for an solution for this hacking attempt but they are not thinking or considering it.

Yesterday I installed and activated  KernelCare by cloudlinux.com but it was also not resolving our issue, finally closed

the pop3d port even stopping the Dovecot IMAP/POP3 Server we though this is good so the users will not face any mail issue

but they are not able to use any desktop email client. After that also getting another type of attack log added below


========== LOG ===============


Firewall message :

172.65.32.248 (US/United States/-) blocked with too many connections
Connections Log:
                                         My server IP and the port they are trying
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55368 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55336 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55362 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55330 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55350 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55352 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55334 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55346 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55354 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55370 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55372 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55412 (ESTABLISHED)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55374 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55398 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55358 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55356 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55338 (TIME_WAIT)
 

Offline
****
We asked CWP support they don't have any resolution for this issue. Even they are promoting for paid support.
We can take paid support from them as the CWP UPDATE LOG and all other things are perfect, but even using this
CWP panel  for more than two year did seen any profession with CWP. Current situation is very dangerous but looking
for an solution for this hacking attempt but they are not thinking or considering it.

Yesterday I installed and activated  KernelCare by cloudlinux.com but it was also not resolving our issue, finally closed

the pop3d port even stopping the Dovecot IMAP/POP3 Server we though this is good so the users will not face any mail issue

but they are not able to use any desktop email client. After that also getting another type of attack log added below


========== LOG ===============


Firewall message :

172.65.32.248 (US/United States/-) blocked with too many connections
Connections Log:
                                         My server IP and the port they are trying
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55368 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55336 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55362 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55330 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55350 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55352 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55334 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55346 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55354 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55370 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55372 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55412 (ESTABLISHED)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55374 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55398 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55358 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55356 (TIME_WAIT)
tcp: 172.65.32.248:443 -> 173.XXX.XXX.X:55338 (TIME_WAIT)

CSF Should be blocking that IP 172.65.32.248. Check it to make sure you see that entry.
If not create a blacklisted entry for 172.65.32.248 or 172.65.32.0/24