Recently I noticed a huge increase in SMTP brute force attacks on my server. I started digging around to see what steps I could take and found a simple solution. This solution alone has reduced my server load and SMTP brute force attempts.
If you have a dedicated server, VPS server, or another solution with WHM then this solution is for you. If you have a shared hosting account, then this is not for you.
Ensure that you have ConfigServer Firewall installed, but if not it’s easy to install: https://download.configserver.com/csf/install.txt
The following steps assume that you have ConfigServer Firewall installed and functioning properly.
Step 1: click “ConfigServer” from your WHM menu, scroll down until you see “cPanel SMTP AUTH Restrictions”, and click the button. Add any IP addresses that you want to be able to use SMTP on your server. NOTE – If you don’t see this yet, complete the remaining steps and then come back to this (I forget if it appears by default or only after you enable SMTP AUTH).
Step 2: click “ConfigServer” from your WHM menu, scroll down until you see “Firewall Configuration”, and click the button.
Step 3: from the drop-down at the top select “SMTP Settings”
Step 4: set SMTPAUTH_RESTRICT to “On”
Step 5: save the settings by clicking “Change” at the bottom and restart as directed.
Step 6: in WHM click “Exim Configuration Manager”, click “Advanced Editor”, scroll down to the blue button “Add additional configuration setting” and click it. Two boxes appear above it – click the drop-down box on the left, select “auth_advertise_hosts”, and in the box to the right (after the = sign) put this:
${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}}
Step 7: scroll all the way down on the Exim advanced page and click “Save” and the server will restart Exim.
If you’re unable to restrict SMTP access to specific IP addresses or CIDR blocks, then you can restrict by country in the ConfigServer configuration. Click the ConfigServer configuration button and look for CC_ALLOW_SMTPAUTH. Add the country codes that you want to allow to connect to your SMTP server. Be careful with this though – it can add a ridiculous amount of IP addresses to the firewall and hinder performance.
That’s it! Your server is now better protected against brute force SMTP attacks and is far more secure that before.