Page 1 of 1

Security Server Improvement.

Posted: February 8th, 2024, 6:45 am
by admin
Hello Everyone!

To make our server running faster, more secure and confortable to use...
I've decided to use Apache with Light Speed PHP (lsphp) rather then features from CGI, FCGI, PHP-FPM, Light Speed, Open Light Speed and NGINX.

I've already installed Mod_lsapi to improve server performance of PHP sites from CloudLinux Os.
For reference:
https://www.cloudlinux.com/getting-star ... iguration/

I've also installed Config Server Firewall (csf for DirectAdmin Panel Server) - Firewall modules from https://waytotheweb.com which is integrated with:
- login authenticator
- smtpauth
- dovecot
- lmtp
- pop3d
- sshd
- ftpd
- eximsyntax
- imapd

Blocklist chain from the lists below have been integrated with CSF Firewall too:
- MaxMind GeoIP Anonymous Proxies from : https://www.maxmind.com/en/anonymous_proxies
- Stop Forum Spam from : http://www.stopforumspam.com/
- GreenSnow Hack List from : https://greensnow.co
- AbuseIPDB blacklist from : https://docs.abuseipdb.com/#blacklist-endpoint

And working correctly...
my server will blocking instantly all of the hackers, spammers, Scammers, malware and Spoofing/Phishing Attacks (Cybercriminals Attacker) from all over the world, that have been tried to attempt to reaching out our server with bad habit within seconds.
Have take a look:

Code: Select all

[root@srv8 ~]# tail -n 30 /var/log/lfd.log
Feb  8 00:00:03 srv8 lfd[1650618]: Directory Watching...
Feb  8 00:00:03 srv8 lfd[1650618]: Email Relay Tracking...
Feb  8 00:00:03 srv8 lfd[1650618]: Temp to Perm Block Tracking...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/phpMyAdmin/log/auth.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/customlog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/exim/mainlog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/directadmin/login.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/messages...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/squirrelmail/data/squirrelmail_access_log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/maillog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/roundcube/logs/errors.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/secure...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/httpd/error_log...
Feb  8 00:10:13 srv8 lfd[1652421]: (sshd) Failed SSH login from 129.146.162.206 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 00:28:10 srv8 lfd[1657434]: (smtpauth) Failed SMTP AUTH login from 124.136.29.20 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 00:28:55 srv8 lfd[1657556]: (smtpauth) Failed SMTP AUTH login from 122.11.169.112 (SG/Singapore/122.11.169-112.unknown.starhub.net.sg): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:24:24 srv8 lfd[1666148]: (ftpd) Failed FTP login from 49.43.115.135 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:37:26 srv8 lfd[1668178]: (ftpd) Failed FTP login from 103.123.78.21 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:55:44 srv8 lfd[1670798]: (sshd) Failed SSH login from 34.170.15.98 (US/United States/98.15.170.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:12:22 srv8 lfd[1673501]: (smtpauth) Failed SMTP AUTH login from 12.207.244.211 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:12:38 srv8 lfd[1673554]: (smtpauth) Failed SMTP AUTH login from 222.179.102.210 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:14:23 srv8 lfd[1673802]: (smtpauth) Failed SMTP AUTH login from 102.165.14.139 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:32:52 srv8 lfd[1676620]: (eximsyntax) Exim syntax errors from 118.193.58.187 (DE/Germany/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:38:57 srv8 lfd[1677524]: (smtpauth) Failed SMTP AUTH login from 111.10.223.169 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:39:17 srv8 lfd[1677607]: (smtpauth) Failed SMTP AUTH login from 41.79.50.242 (GQ/Equatorial Guinea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:07:28 srv8 lfd[1704294]: (smtpauth) Failed SMTP AUTH login from 102.165.14.140 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:37:44 srv8 lfd[1756825]: (sshd) Failed SSH login from 157.245.154.124 (SG/Singapore/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:54:17 srv8 lfd[1759242]: (smtpauth) Failed SMTP AUTH login from 27.72.155.221 (dynamic-adsl.viettel.vn): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:54:57 srv8 lfd[1759397]: (smtpauth) Failed SMTP AUTH login from 191.36.156.53 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:55:07 srv8 lfd[1759506]: (sshd) Failed SSH login from 14.32.241.81 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:02:21 srv8 lfd[1770132]: (sshd) Failed SSH login from 175.206.96.178 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:14:26 srv8 lfd[1772079]: (smtpauth) Failed SMTP AUTH login from 23.95.86.94 (CA/Canada/solicitously.mutemeet.net): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:50:32 srv8 lfd[1777483]: (sshd) Failed SSH login from 222.111.179.159 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:53:38 srv8 lfd[1777909]: (smtpauth) Failed SMTP AUTH login from 192.227.144.43 (US/United States/192-227-144-43-host.colocrossing.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:03:40 srv8 lfd[1779439]: (smtpauth) Failed SMTP AUTH login from 60.8.223.58 (CN/China/hebei.8.60.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:04:00 srv8 lfd[1779512]: (smtpauth) Failed SMTP AUTH login from 120.193.223.46 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:05:55 srv8 lfd[1779858]: (ftpd) Failed FTP login from 103.26.81.177 (PK/Pakistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:28:08 srv8 lfd[1783286]: (sshd) Failed SSH login from 64.62.197.107 (US/United States/107.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:43:46 srv8 lfd[1785558]: (smtpauth) Failed SMTP AUTH login from 191.36.152.28 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:54:49 srv8 lfd[1834070]: (smtpauth) Failed SMTP AUTH login from 91.244.113.156 (RU/Russia/91.244.113.156.wirenet.tv): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:55:10 srv8 lfd[1835671]: (smtpauth) Failed SMTP AUTH login from 117.187.89.145 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 08:23:25 srv8 lfd[2029191]: (sshd) Failed SSH login from 64.62.197.127 (US/United States/127.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:00:51 srv8 lfd[2047537]: (ftpd) Failed FTP login from 34.140.130.61 (BE/Belgium/61.130.140.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:01:57 srv8 lfd[2047700]: (ftpd) Failed FTP login from 35.190.199.12 (BE/Belgium/12.199.190.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:07:30 srv8 lfd[2048805]: (ftpd) Failed FTP login from 35.240.121.17 (BE/Belgium/17.121.240.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:17:15 srv8 lfd[2050301]: (sshd) Failed SSH login from 121.178.230.152 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:23:56 srv8 lfd[2051263]: (sshd) Failed SSH login from 87.103.104.96 (PT/Portugal/96.104.103.87.rev.vodafone.pt): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:53:03 srv8 lfd[2090315]: (smtpauth) Failed SMTP AUTH login from 210.177.148.45 (HK/Hong Kong/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:53:33 srv8 lfd[2094714]: (smtpauth) Failed SMTP AUTH login from 210.18.182.188 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:54:18 srv8 lfd[2101298]: (ftpd) Failed FTP login from 165.154.163.113 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:18:42 srv8 lfd[2242935]: (smtpauth) Failed SMTP AUTH login from 188.32.109.40 (RU/Russia/broadband-188-32-109-40.ip.moscow.rt.ru): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:18:56 srv8 lfd[2244067]: (smtpauth) Failed SMTP AUTH login from 42.98.116.229 (HK/Hong Kong/42-98-116-229.static.netvigator.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:20:42 srv8 lfd[2252190]: (sshd) Failed SSH login from 64.62.197.211 (US/United States/211.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:24:38 srv8 lfd[2269099]: (eximsyntax) Exim syntax errors from 58.48.226.61 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:24:38 srv8 lfd[2269100]: (eximsyntax) Exim syntax errors from 125.82.243.25 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:18:57 srv8 lfd[2280252]: (smtpauth) Failed SMTP AUTH login from 177.72.87.7 (BR/Brazil/7.lifedns.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:19:17 srv8 lfd[2280338]: (smtpauth) Failed SMTP AUTH login from 185.246.255.235 (IL/Israel/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:29:09 srv8 lfd[2281825]: (ftpd) Failed FTP login from 189.113.4.60 (BR/Brazil/sistemaev.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:43:49 srv8 lfd[2284011]: (ftpd) Failed FTP login from 31.148.250.165 (BY/Belarus/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 12:01:00 srv8 lfd[2286671]: (ftpd) Failed FTP login from 185.203.236.130 (UZ/Uzbekistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
[root@srv8 ~]#

Code: Select all

[root@srv8 ~]# tail -n 30 /var/log/exim/rejectlog
2024-02-07 21:47:42 login authenticator failed for ([117.158.161.98]) [117.158.161.98]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:48:15 login authenticator failed for ([185.207.129.246]) [185.207.129.246]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:55:37 login authenticator failed for (static.vnpt.vn) [113.160.203.147]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:55:51 login authenticator failed for (static.vnpt.vn) [113.175.240.142]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:58:10 SMTP call from scan-54b.shadowserver.org [65.49.1.39] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 21:58:25 SMTP call from [65.49.1.62] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 22:32:23 login authenticator failed for ([183.215.1.244]) [183.215.1.244]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 22:32:39 login authenticator failed for ([196.20.104.226]) [196.20.104.226]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 22:53:32 login authenticator failed for (192-3-198-20-host.colocrossing.com) [192.3.198.20]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 00:28:06 login authenticator failed for ([114.53.252.254]) [124.136.29.20]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 00:28:50 login authenticator failed for (122.11.169-112.unknown.starhub.net.sg) [122.11.169.112]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 00:58:03 SMTP call from scan-19.shadowserver.org [65.49.20.68] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 02:12:21 login authenticator failed for ([12.207.244.211]) [12.207.244.211]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:12:35 login authenticator failed for ([222.179.102.210]) [222.179.102.210]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 02:14:21 login authenticator failed for (102.165.14.139) [102.165.14.139]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 02:32:46 SMTP call from [118.193.58.187] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 02:38:52 login authenticator failed for ([111.10.223.169]) [111.10.223.169]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:39:15 login authenticator failed for ([41.79.50.242]) [41.79.50.242]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 03:46:08 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 03:47:34 SMTP call from scan-59a.shadowserver.org [65.49.1.108] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 03:58:52 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:02:01 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:07:23 login authenticator failed for (localhost) [102.165.14.140]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 04:26:09 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:52:56 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:54:15 login authenticator failed for (static.vnpt.vn) [27.72.155.221]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 04:54:52 login authenticator failed for (vipturbo.com.br) [191.36.156.53]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 05:08:44 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 09:53:30 login authenticator failed for ([210.18.182.188]) [210.18.182.188]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:18:38 login authenticator failed for broadband-188-32-109-40.ip.moscow.rt.ru [188.32.109.40]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 10:18:55 login authenticator failed for 42-98-116-229.static.netvigator.com [42.98.116.229]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:24:34 SMTP call from [58.48.226.61] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:36 SMTP call from [125.82.243.25] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:37 SMTP call from [112.94.253.241] dropped: too many unrecognized commands (last was "")
2024-02-08 11:18:53 login authenticator failed for (7.lifedns.com.br) [177.72.87.7]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 11:19:13 login authenticator failed for ([185.246.255.235]) [185.246.255.235]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 12:12:07 login authenticator failed for (static.vnpt.vn) [113.161.40.240]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 12:13:18 login authenticator failed for (71.58.221.60.adsl-pool.sx.cn) [60.221.58.71]: 535 Incorrect authentication data (set_id=admin)
[root@srv8 ~]#
Since We're using Google Send Mail Transport Protocol - gsmtp to send all of emails from our server to all of our members, All of emails from my server should be scanning first by ClamAv Scanner plugin (AntiVirus, AntiMalware, etc.), It will take a bit more times (slower) to delivering all of emails sent from our server to all of gmail members inbox.

Code: Select all

[root@srv8 ~]# ls -la /var/spool/exim/
total 4
drwxr-x---   6 mail mail  120 Feb  6 18:57 .
drwxr-xr-x. 11 root root 4096 Feb  6 13:09 ..
drwxr-x---   2 mail mail  160 Feb  6 18:57 db
drwxr-x---  64 mail mail 1280 Feb  6 18:00 input
drwxr-x---  64 mail mail 1280 Feb  6 18:00 msglog
drwxr-x---   2 mail mail   40 Feb  8 03:05 scan
[root@srv8 ~]#
Image Image

More security improvement will be added in the next future development.