[ask] bagaimana cara solving ddos attack on smtp di cpanel


Status
Not open for further replies.
yuby

yuby

Beginner 2.0
Hallo para master ,

saya mau menanyakan , apakah ada yang pernah mengalami serangan ddos via smtp di cpanel .

log nya seperti berikut :

2014-01-21 22:07:46 H=dhcp46-187-131-87.eaw.com.pl [46.187.131.87]:1775 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:46 H=([190.253.123.218]) [190.253.123.218]:3297 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=([186.114.32.164]) [186.114.32.164]:22759 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=93-62-240-137.ip24.fastwebnet.it [93.62.240.137]:47772 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:47 H=cpc2-nmal20-2-0-cust907.19-2.cable.virginm.net [92.239.187.140]:54662 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:50 H=(116-78-190-190.cab.prima.net.ar) [190.190.78.116]:3204 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:50 H=([190.40.81.206]) [190.40.81.206]:41976 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:51 H=181-162-34-204.baf.movistar.cl [181.162.34.204]:4878 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:55 H=(dbe2638e0.dslam-172-17-192-245-256-347-may-04.dsl.cantv.net) [190.38.56.224]:49904 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:57 H=([190.233.227.100]) [190.233.227.100]:10368 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:07:57 H=(182-12-166-181.fibertel.com.ar) [181.166.12.182]:2518 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:08:01 H=dslb-178-008-040-094.pools.arcor-ip.net [178.8.40.94]:2175 F=<[email protected]> rejected RCPT <[email protected]>:
2014-01-21 22:08:03 H=(host-176-221-120-189.dynamic.mm.pl) [176.221.120.213]:9189 F=<[email protected]> rejected RCPT <[email protected]>:

saya cek serangan ddos nya lewat port 25 .

Problem :

- ddos tersbut mengirim email ke domain internal , namun alamat email nya sembarang sehinggal failed bouncback
- bisa membuat cpu high process , dan overload
- membuat hang server cpanel
- sumber pengirim ( alamat / IP tidak di ada ) sehingga susah untuk melacaknya

Solusi yang sudah di coba :

- sudah coba blok port 25 di csf , hasilnya ddos berhenti , namun tidak bisa menerima email dari luar ( domain luar ) karena antar smtp berhubungan lewat port 25.
- sudah mengubah blackhole menjadi fail untuk settingan bouncback email nya, sehingga cpu tidak terlalu berat.

Mungkin para suhu mempunyai solusi lain ?

Salam hangat,
Yuby
 
yuby

yuby

Beginner 2.0
hendranata said:
enable smtp restriction + matikan smtp unsecure port 25.. jadi pake port 465 atau 587 saja
Click to expand...

ini sudah di coba namun email dari domain luar ga bisa masuk tuan. misal dari gmail atau domain luar, jadi hanya bisa sesama domain local yang ada di server
 
natanetwork

natanetwork

Hosting Guru
Verified Provider
yuby said:
ini sudah di coba namun email dari domain luar ga bisa masuk tuan. misal dari gmail atau domain luar, jadi hanya bisa sesama domain local yang ada di server
Click to expand...
masuk ke mail server configuration dan set "Allow Plaintext Authentication (from remote clients)" ke No

semoga membantu
 
yuby

yuby

Beginner 2.0
hendranata said:
masuk ke mail server configuration dan set "Allow Plaintext Authentication (from remote clients)" ke No

semoga membantu
Click to expand...

Sudah di coba , namun ddos masih terjadi .

xxx.com = nama domain saya

cek di header tidak ada pengirim ( IP ) dll . jadi seperti dari dalam server serangan ddos nya. karena di cek di router traffic nya dari IP server cpanel ke IP luar .

log :

2018-01-31 10:40:32 H=cf3.hc.ru [89.111.177.36]:36200 X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:32 H=mla401.digitalink.ne.jp [114.142.191.200]:56626 F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:32 SMTP connection from mla401.digitalink.ne.jp [114.142.191.200]:56626 closed by QUIT
2018-01-31 10:40:32 SMTP connection from [61.119.44.82]:50864 (TCP/IP connection count = 94)
2018-01-31 10:40:32 H=cf3.hc.ru [89.111.177.36]:36200 Warning: "Detected session with all messages failed"
2018-01-31 10:40:32 H=cf3.hc.ru [89.111.177.36]:36200 Warning: "Increment slow_fail_block Ratelimit - cf3.hc.ru [89.111.177.36]:36200 because of all messages failed"
2018-01-31 10:40:32 SMTP connection from cf3.hc.ru [89.111.177.36]:36200 closed by QUIT
2018-01-31 10:40:33 SMTP connection from [203.127.43.196]:24910 (TCP/IP connection count = 94)
2018-01-31 10:40:33 H=mail2.teletax.ru [77.232.58.69]:62078 F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:13549 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:16172 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:21901 lost
2018-01-31 10:40:33 H=www769.sakura.ne.jp [59.106.19.219]:54813 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:25272 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:18708 lost
2018-01-31 10:40:33 SMTP connection from www769.sakura.ne.jp [59.106.19.219]:54813 closed by QUIT
 
paijo2

paijo2

Apprentice 1.0
Backscatter spam ?

Easiest way to eliminate backscatter is to set "Initial default/catch-all forwarder destination" in Tweak Settings to Blackhole instead of Fail. Fail will generate a non-deliverablility report (NDS), which is basically what most backscatter is. Blackhole just routes then to /dev/null and no NDR is generated.

Technically, I believe Fail is what the RFC (Request For Comments) calls for, but the exim RFC did not take spam into account.
Click to expand...

https://forums.cpanel.net/threads/preventing-backscatter.514281/
 
yuby

yuby

Beginner 2.0
paijo2 said:
Backscatter spam ?



https://forums.cpanel.net/threads/preventing-backscatter.514281/
Click to expand...

Iya udah di setup jadi fail dari sebelum nya juga , biar di reject jadi ga ngebebanin server , CPU udah aman .

Solusi tersebut sudah saya pakai dari 2 minggu yang lalu, namun kendala nya ddos masih ada .

log :

2018-01-31 10:40:32 SMTP connection from cf3.hc.ru [89.111.177.36]:36200 closed by QUIT
2018-01-31 10:40:33 SMTP connection from [203.127.43.196]:24910 (TCP/IP connection count = 94)
2018-01-31 10:40:33 H=mail2.teletax.ru [77.232.58.69]:62078 F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:13549 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:16172 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:21901 lost
2018-01-31 10:40:33 H=www769.sakura.ne.jp [59.106.19.219]:54813 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no F=<> rejected RCPT <[email protected]>: "
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:25272 lost
2018-01-31 10:40:33 SMTP connection from hontec.net.cn [218.80.251.154]:18708 lost
2018-01-31 10:40:33 SMTP connection from www769.sakura.ne.jp [59.106.19.219]:54813 closed by QUIT
 
Status
Not open for further replies.

Top