Hundreds of hacking attempts overnight.

[jim.thornton]

I've had hundreds of hacking emails come through (each email has 5 atempts). The attempts are IMAP hacking attempts against an email address that only exists as a forwarder. I'm pretty sure that I have nothing to worry about regarding this, but is there anything I can do to stop them?

I run CSF firewall. All of these attempts are from around the world (Italy, Russia, China, Vietname, etc). My server only hosts websites for me and my business is restricted to Ontario (or Canada at the absolute most). I don't even really need to have people connect rom U.S.A. except for the fact that someone might be in the U.S. for a bit and need to connect.

Is there a way that I can easily stop all connections from anywhere other than North America? Or, is that not advisable?

I've already got CSF set to 5 failed attempts and it locks you out, but the hackers just change their IP address and go again. I get multiple attempts every minute or two.

 

[Richard G]

Nothing really you can do to stop this. It's normal, but gotten worse during Covid.
Best is indeed to use the CSF Firewall. Do not set the block for too long, otherwise you get too many block lines and could start using resources.

You could buy the geoip stuff so you can only allow people from certain country's. However, it's still possible to spoof ip's and attacks probably won't stop. It's a choice but I doubt if it's worth the money and I don't know how resource usage is on that. Maybe somebody who already uses this can advise on it.

We sometimes also have a big flood of attacks like that, and mostly they don't last longer then a week and then it's back to the "normal" attack rate.

Nothing really to worry about if you keep your server updated in a decent way. I would certainly only use temp blocks, not full blocks. But I would use temp blocks longer then an hour. More like a day or couple of days. Because valid users can use wrong passwords too and then they are blocked out for that time too.
And then the option to block full after they have been temp blocked for x times.

 

[Ohm J]

for against that attack, need to change csf firwall config
1: backup your current config ( it's on "Firewall Profiles"
2: Makesure you whilelist your IP Usage otherwise you may blocked from below
3: Change "LF_*" all option from 5 to 1, "LF_*_PERM" all option to 1
4: Disable all "Email Alert"
5: Enable UDPFLOOD , set UDPFLOOD_LIMIT to "75/s"
6: Save and be awake to see how attacker doing

LF_*_PERM ; it up to your decide for fight again High traffic bruteforce attack

When attacker stopped, Please restore your old config


There have too many option, I can't share more detail here,

 

[Anne]

Hi,

Is it only IMAP brute force attacks?

I've got a million of attacks on SSH. Since I change the default port into one further up the range, this saves me a whole lot of traffic and long log files. Also, I don't know why, but the attack on email boxes has declined a lot.

Since most attacks were on SSH, the records in the IP blacklist table were rotating fast. Now I don't have to block SSH anymore (they can't find the port) I could set the settings for email attacks much tighter. Just 1 failed login attempt instead of 5 for example. Maybe this did the trick, but the hacking attempts did slow down a lot.

 

[johannes]

You can use CC_ALLOW_PORTS functionality in CSF. Remove mailports from general allowed port list (TCP_IN/UDP_IN), and add it here, together with your country code (CA,US).