I have a server being attacked in the form of a botnet. I am getting 50 emails a day (since the last two days) like this:
I'm alone on my server and I don't have/want customers. All emails programs are disabled (horde, squirrelmail, etc) and I don't use email accounts (I did not create email accounts).Time: Tue Feb 4 17:07:09 2014 -0500
IP: 213.186.183.252 (JO/Jordan/-)
Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked: Permanent Block
Log entries:
2014-02-04 17:06:15 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:21 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:31 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:06:48 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
2014-02-04 17:07:05 dovecot_login authenticator failed for ([192.168.2.33])
[213.186.183.252]:59438: 535 Incorrect authentication data (set_id=jobs)
I am using CSF, CXS, ConfigServer Mail Manager, ConfigServer Mail Queues, Mod_Security.
What is the best solution to stop these SMTP attacks ? Block/Disable port 25 ? Will it prevent me from receiving other alert emails from CSF ?
The SMTP Setting in CSF are:
SMTP_BLOCK = 0
SMTP_ALLOWLOCAL = 1
SMTP_PORTS = 25,465,587
SMTP_ALLOWUSER = Cpanel
SMTP_ALLOWGROUP = mail,mailman
Regards