force brute attack ??

I would suggest to use a good firewall script like CSF/LFD which also has a plugin for Directadmin.
Works great and automatically bans users after x attempts to connect to mail, ftp, whatver, you can configure that yourself in the config.
 
Hello, I am using V5.08 csf but I do not know or parameters to block. They are trying to connect on a single account. DirectAdmin is updated, the server also.
I have in the View Ipable Logs every 1 minutes the same IP address
Aug 26 10:09:02 ns201305 kernel: Firewall: *UDP_OUT Blocked* IN= OUT=eth0 SRC=91.121.118.116 DST=91.121.118.251 LEN=222 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=49964 DPT=6168 LEN=202
Click to expand...

Thanks

Excuse for my english i'm French :p
 
Help me please, I get lots of mail.
Is it dangerous for the server?
How to block hackers IP? they change every time.
thank you
 
Firewall: *UDP_OUT Blocked*
Click to expand...
This is outgoing traffic which is blocked. So it's not a hacker trying to get in, but a user (or hacked account) which is trying to get out.

I would suggest checking your users who is running a script.
If you had installed csf/lfd firewall like i suggested, you would have already know who was the guilty user.:)
 
Actually to me seems to be in same network: 91.121.118.116 DST=91.121.118.251

So, should be some missconfiguration on backup/dns or whatelse i suppose... Are those both ip yours?
 
Hello, I do not quite understand your question?
I can give you my login for MP? For you to view 2 minutes?
thank you
 
small indication to tell me otherwise or search by MP I can give you the login information.
Click to expand...
What is "MP"? To have a look what's wrong, root access is needed. I could have a very short look for you if you want. Contact me by pm if you want.
 
No problem.:)

I had a quick look around. Seems there is a distributed bruteforce going on at 1 email address, but I couldn't find that quick where the outgoing traffic is coming from.

To disable brute force monitor in DA, go to:
/usr/local/directadmin/conf and in the directadminconf set:

bruteforce=0

If that line is not present, just add it.

@Sellerone: He only has the ip which ends at 116.
No nameserver present on the machine.
 
Actually, in my case it's about Gmail Fetcher trying to authenticate on an account with changed password. It's a bit complicated, but, in a few words, user got fired from my clients' company, obtained a forwarder to his gmail account with no direct access to company email, but didn't turned off Gmail Fetcher. Now he says he deleted that account from Fetcher, but I keep getting this messages from my server.

I have no ideea how to handle this :(
 
Are you trying to attach something? If so, you can't until you've made more posts (I don't know how many). But you can use the code tags to post some log entries, or quote tags to quote something from another message.

Without seeing them though, I'd guess that the Fetcher is still trying to fetch messages. Certainly you shouldn't be getting notified that it is, if it's not.

Jeff
 
You must log in or register to reply here.
Back
Top