SOLVED Too many messages Brute Force - Excessive number of failed login attempts

[Elizabeta]

Hello,

I have a cPanel&WHM version v98.0.9. From yesterday morning I have in total 3500 messages and messages keep coming. How to prevent this attack??

Best regards,
Elizabeta

 

[Elizabeta]

One more info: Authentication Database is mail. I saw in message from Brute force attack

Mails that are attempted to be hacked do not even exist on cPanel??

BR

​

 

[Elizabeta]

Hello,

One of our users on cPanel has the autodiscover option activated on the dns record in cpanel, but does not host mails on cpanel.
We noticed that a lot of emails (Brute force attack-Excessive number of failed login) come for mail addresses from that user..
How to stop it?

Br,
Elizabeta

 

[cPRex]

Hey there! Could you post an example of one of the messages you're getting? Please remove any personal information, such as the email or IP address, but we'd need to see one of those messages in order to provide you with good information on how to solve the issue.

 

[Elizabeta]

Hello,

Here the attack simply stopped after three days. There aren’t as many messages like this anymore. Picture of this mail is in attachment.

Best regards,
Elizabeta

 

[cPanelAnthony]

Hello,

It sounds like your server was undergoing some type of bruteforce attack. I would suggest making sure your server's firewall is blocking these attempts. It will also help to make sure cPHulk is functioning.

cPHulk Brute Force Protection | cPanel & WHM Documentation

This interface allows you to configure cPHulk, a service that provides protection for your server against brute force attacks.

docs.cpanel.net

 

[Elizabeta]

Hello,

Yes,

it was a kind of attack. Cphulk was enabled and set up correctly, so we survived

 

[quietFinn]

These attackers may be able to use hundreds or even thousands of different IP's, so when one is blocked they use next, and so on...
If the password is not strong they might eventually get it.

 

[cPanelAnthony]

Hello,

Yes,

it was a kind of attack. Cphulk was enabled and set up correctly, so we survived

I'm happy to hear that! Never hesitate to reach out if you run into issues.

 

[Elizabeta]

I'm happy to hear that! Never hesitate to reach out if you run into issues.

Thank you!

Best regards,
Elizabeta

 

[tirliton]

Hello,

My server is under attack for more than 4 weeks now. The attack is a brute force against IMAP services attack. My firewall (CSF & LFD) is running and blocking them, but I had to deactivate the email notifications (more than 300 emails were sent per hour). cpHulk is also active.

This afternoon, my LFD service crashed two times (xtable lock problem).

Is there anything I can do to moderate this attack and avoid LFD to crash ?

Thank you for your help,

Guy

 

[cPRex]

@tirliton - if the attack is that large, it would be best to work with your hosting provider or datacenter to see if they can perform some mitigation techniques at the network level so the traffic never even reaches your machine.