Reduce SMTP Brute Force Attacks On cPanel WHM

How To

Recently I noticed a huge increase in SMTP brute force attacks on my server.  I started digging around to see what steps I could take and found a simple solution.  This solution alone has reduced my server load and SMTP brute force attempts.

If you have a dedicated server, VPS server, or another solution with WHM then this solution is for you.  If you have a shared hosting account, then this is not for you.

Ensure that you have ConfigServer Firewall installed, but if not it’s easy to install: https://download.configserver.com/csf/install.txt

The following steps assume that you have ConfigServer Firewall installed and functioning properly.

 

Step 1: click “ConfigServer” from your WHM menu, scroll down until you see “cPanel SMTP AUTH Restrictions”, and click the button.  Add any IP addresses that you want to be able to use SMTP on your server.  NOTE  – If you don’t see this yet, complete the remaining steps and then come back to this (I forget if it appears by default or only after you enable SMTP AUTH).

cpanel whm configserver

 

Step 2: click “ConfigServer” from your WHM menu, scroll down until you see “Firewall Configuration”, and click the button.

cpanel whm configserver

 

Step 3: from the drop-down at the top select “SMTP Settings”

cpanel whm configserver

 

Step 4: set SMTPAUTH_RESTRICT to “On”

cpanel whm configserver

 

Step 5: save the settings by clicking “Change” at the bottom and restart as directed.

 

Step 6: in WHM click “Exim Configuration Manager”, click “Advanced Editor”, scroll down to the blue button “Add additional configuration setting” and click it.  Two boxes appear above it – click the drop-down box on the left, select “auth_advertise_hosts”, and in the box to the right (after the = sign) put this:
${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}}

cpanel whm exim configuration

 

Step 7: scroll all the way down on the Exim advanced page and click “Save” and the server will restart Exim.

 

If you’re unable to restrict SMTP access to specific IP addresses or CIDR blocks, then you can restrict by country in the ConfigServer configuration.  Click the ConfigServer configuration button and look for CC_ALLOW_SMTPAUTH.  Add the country codes that you want to allow to connect to your SMTP server.  Be careful with this though – it can add a ridiculous amount of IP addresses to the firewall and hinder performance.

That’s it!  Your server is now better protected against brute force SMTP attacks and is far more secure that before.

About The Author

Rob

My name is Rob Barbour and I've been a geek since I was a kid - my first computer was a Timex Sinclair and then I saved up to buy a Vic 20 with my paper route money. I've also been programming since I was a kid, so you'll likely see some code thrown in where appropriate. I truly love helping people like you solve their problems and answer their questions. I've been hosting my own sites since the late 90's and know the web hosting world extremely well.

Disclaimer: A great deal of effort goes into maintaining a website like this and at the time of writing we believe the data was correct, but is provided without any warranty. It is your responsibility to to check the official website for their current offers, terms, details, and other useful information. We receive compensation from many of the offers displayed and that may or may not influence how and where these offers are displayed (including the order). We do not have all available offers for many reasons. All opinions we express on the site are solely ours and are not approved or provided to us by the companies.