To make our server running faster, more secure and confortable to use...
I've decided to use Apache with Light Speed PHP (lsphp) rather then features from CGI, FCGI, PHP-FPM, Light Speed, Open Light Speed and NGINX.
I've already installed Mod_lsapi to improve server performance of PHP sites from CloudLinux Os.
For reference:
https://www.cloudlinux.com/getting-star ... iguration/
I've also installed Config Server Firewall (csf for DirectAdmin Panel Server) - Firewall modules from https://waytotheweb.com which is integrated with:
- login authenticator
- smtpauth
- dovecot
- lmtp
- pop3d
- sshd
- ftpd
- eximsyntax
- imapd
- Scan Port
Blocklist chain from the lists below have been integrated with CSF Firewall too:
- MaxMind GeoIP Anonymous Proxies from : https://www.maxmind.com/en/anonymous_proxies
- Stop Forum Spam from : http://www.stopforumspam.com/
- GreenSnow Hack List from : https://greensnow.co
- AbuseIPDB blacklist from : https://docs.abuseipdb.com/#blacklist-endpoint
And working correctly...
my server will blocking instantly all of the hackers, spammers, Scammers, malware and Spoofing/Phishing Attacks (Cybercriminals Attacker) from all over the world, that have been tried to attempt to reaching out our server with bad habit within seconds.
Have take a look:
Code: Select all
[root@srv8 ~]# tail -n 30 /var/log/lfd.log
Feb 8 00:00:03 srv8 lfd[1650618]: Directory Watching...
Feb 8 00:00:03 srv8 lfd[1650618]: Email Relay Tracking...
Feb 8 00:00:03 srv8 lfd[1650618]: Temp to Perm Block Tracking...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/phpMyAdmin/log/auth.log...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/customlog...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/exim/mainlog...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/directadmin/login.log...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/messages...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/squirrelmail/data/squirrelmail_access_log...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/maillog...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/roundcube/logs/errors.log...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/secure...
Feb 8 00:00:03 srv8 lfd[1650618]: Watching /var/log/httpd/error_log...
Feb 8 00:10:13 srv8 lfd[1652421]: (sshd) Failed SSH login from 129.146.162.206 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 00:28:10 srv8 lfd[1657434]: (smtpauth) Failed SMTP AUTH login from 124.136.29.20 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 00:28:55 srv8 lfd[1657556]: (smtpauth) Failed SMTP AUTH login from 122.11.169.112 (SG/Singapore/122.11.169-112.unknown.starhub.net.sg): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 01:24:24 srv8 lfd[1666148]: (ftpd) Failed FTP login from 49.43.115.135 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 01:37:26 srv8 lfd[1668178]: (ftpd) Failed FTP login from 103.123.78.21 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 01:55:44 srv8 lfd[1670798]: (sshd) Failed SSH login from 34.170.15.98 (US/United States/98.15.170.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:12:22 srv8 lfd[1673501]: (smtpauth) Failed SMTP AUTH login from 12.207.244.211 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:12:38 srv8 lfd[1673554]: (smtpauth) Failed SMTP AUTH login from 222.179.102.210 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:14:23 srv8 lfd[1673802]: (smtpauth) Failed SMTP AUTH login from 102.165.14.139 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:32:52 srv8 lfd[1676620]: (eximsyntax) Exim syntax errors from 118.193.58.187 (DE/Germany/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:38:57 srv8 lfd[1677524]: (smtpauth) Failed SMTP AUTH login from 111.10.223.169 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 02:39:17 srv8 lfd[1677607]: (smtpauth) Failed SMTP AUTH login from 41.79.50.242 (GQ/Equatorial Guinea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 04:07:28 srv8 lfd[1704294]: (smtpauth) Failed SMTP AUTH login from 102.165.14.140 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 04:37:44 srv8 lfd[1756825]: (sshd) Failed SSH login from 157.245.154.124 (SG/Singapore/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 04:54:17 srv8 lfd[1759242]: (smtpauth) Failed SMTP AUTH login from 27.72.155.221 (dynamic-adsl.viettel.vn): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 04:54:57 srv8 lfd[1759397]: (smtpauth) Failed SMTP AUTH login from 191.36.156.53 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 04:55:07 srv8 lfd[1759506]: (sshd) Failed SSH login from 14.32.241.81 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 06:02:21 srv8 lfd[1770132]: (sshd) Failed SSH login from 175.206.96.178 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 06:14:26 srv8 lfd[1772079]: (smtpauth) Failed SMTP AUTH login from 23.95.86.94 (CA/Canada/solicitously.mutemeet.net): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 06:50:32 srv8 lfd[1777483]: (sshd) Failed SSH login from 222.111.179.159 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 06:53:38 srv8 lfd[1777909]: (smtpauth) Failed SMTP AUTH login from 192.227.144.43 (US/United States/192-227-144-43-host.colocrossing.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:03:40 srv8 lfd[1779439]: (smtpauth) Failed SMTP AUTH login from 60.8.223.58 (CN/China/hebei.8.60.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:04:00 srv8 lfd[1779512]: (smtpauth) Failed SMTP AUTH login from 120.193.223.46 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:05:55 srv8 lfd[1779858]: (ftpd) Failed FTP login from 103.26.81.177 (PK/Pakistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:28:08 srv8 lfd[1783286]: (sshd) Failed SSH login from 64.62.197.107 (US/United States/107.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:43:46 srv8 lfd[1785558]: (smtpauth) Failed SMTP AUTH login from 191.36.152.28 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:54:49 srv8 lfd[1834070]: (smtpauth) Failed SMTP AUTH login from 91.244.113.156 (RU/Russia/91.244.113.156.wirenet.tv): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 07:55:10 srv8 lfd[1835671]: (smtpauth) Failed SMTP AUTH login from 117.187.89.145 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 08:23:25 srv8 lfd[2029191]: (sshd) Failed SSH login from 64.62.197.127 (US/United States/127.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:00:51 srv8 lfd[2047537]: (ftpd) Failed FTP login from 34.140.130.61 (BE/Belgium/61.130.140.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:01:57 srv8 lfd[2047700]: (ftpd) Failed FTP login from 35.190.199.12 (BE/Belgium/12.199.190.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:07:30 srv8 lfd[2048805]: (ftpd) Failed FTP login from 35.240.121.17 (BE/Belgium/17.121.240.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:17:15 srv8 lfd[2050301]: (sshd) Failed SSH login from 121.178.230.152 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:23:56 srv8 lfd[2051263]: (sshd) Failed SSH login from 87.103.104.96 (PT/Portugal/96.104.103.87.rev.vodafone.pt): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:53:03 srv8 lfd[2090315]: (smtpauth) Failed SMTP AUTH login from 210.177.148.45 (HK/Hong Kong/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:53:33 srv8 lfd[2094714]: (smtpauth) Failed SMTP AUTH login from 210.18.182.188 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 09:54:18 srv8 lfd[2101298]: (ftpd) Failed FTP login from 165.154.163.113 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 10:18:42 srv8 lfd[2242935]: (smtpauth) Failed SMTP AUTH login from 188.32.109.40 (RU/Russia/broadband-188-32-109-40.ip.moscow.rt.ru): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 10:18:56 srv8 lfd[2244067]: (smtpauth) Failed SMTP AUTH login from 42.98.116.229 (HK/Hong Kong/42-98-116-229.static.netvigator.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 10:20:42 srv8 lfd[2252190]: (sshd) Failed SSH login from 64.62.197.211 (US/United States/211.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 10:24:38 srv8 lfd[2269099]: (eximsyntax) Exim syntax errors from 58.48.226.61 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 10:24:38 srv8 lfd[2269100]: (eximsyntax) Exim syntax errors from 125.82.243.25 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 11:18:57 srv8 lfd[2280252]: (smtpauth) Failed SMTP AUTH login from 177.72.87.7 (BR/Brazil/7.lifedns.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 11:19:17 srv8 lfd[2280338]: (smtpauth) Failed SMTP AUTH login from 185.246.255.235 (IL/Israel/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 11:29:09 srv8 lfd[2281825]: (ftpd) Failed FTP login from 189.113.4.60 (BR/Brazil/sistemaev.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 11:43:49 srv8 lfd[2284011]: (ftpd) Failed FTP login from 31.148.250.165 (BY/Belarus/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb 8 12:01:00 srv8 lfd[2286671]: (ftpd) Failed FTP login from 185.203.236.130 (UZ/Uzbekistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
[root@srv8 ~]#
Code: Select all
[root@srv8 ~]# tail -n 30 /var/log/exim/rejectlog
2024-02-07 21:47:42 login authenticator failed for ([117.158.161.98]) [117.158.161.98]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:48:15 login authenticator failed for ([185.207.129.246]) [185.207.129.246]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:55:37 login authenticator failed for (static.vnpt.vn) [113.160.203.147]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:55:51 login authenticator failed for (static.vnpt.vn) [113.175.240.142]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:58:10 SMTP call from scan-54b.shadowserver.org [65.49.1.39] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 21:58:25 SMTP call from [65.49.1.62] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 22:32:23 login authenticator failed for ([183.215.1.244]) [183.215.1.244]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 22:32:39 login authenticator failed for ([196.20.104.226]) [196.20.104.226]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 22:53:32 login authenticator failed for (192-3-198-20-host.colocrossing.com) [192.3.198.20]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 00:28:06 login authenticator failed for ([114.53.252.254]) [124.136.29.20]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 00:28:50 login authenticator failed for (122.11.169-112.unknown.starhub.net.sg) [122.11.169.112]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 00:58:03 SMTP call from scan-19.shadowserver.org [65.49.20.68] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 02:12:21 login authenticator failed for ([12.207.244.211]) [12.207.244.211]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:12:35 login authenticator failed for ([222.179.102.210]) [222.179.102.210]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 02:14:21 login authenticator failed for (102.165.14.139) [102.165.14.139]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 02:32:46 SMTP call from [118.193.58.187] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 02:38:52 login authenticator failed for ([111.10.223.169]) [111.10.223.169]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:39:15 login authenticator failed for ([41.79.50.242]) [41.79.50.242]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 03:46:08 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 03:47:34 SMTP call from scan-59a.shadowserver.org [65.49.1.108] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 03:58:52 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:02:01 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:07:23 login authenticator failed for (localhost) [102.165.14.140]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 04:26:09 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:52:56 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:54:15 login authenticator failed for (static.vnpt.vn) [27.72.155.221]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 04:54:52 login authenticator failed for (vipturbo.com.br) [191.36.156.53]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 05:08:44 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 09:53:30 login authenticator failed for ([210.18.182.188]) [210.18.182.188]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:18:38 login authenticator failed for broadband-188-32-109-40.ip.moscow.rt.ru [188.32.109.40]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 10:18:55 login authenticator failed for 42-98-116-229.static.netvigator.com [42.98.116.229]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:24:34 SMTP call from [58.48.226.61] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:36 SMTP call from [125.82.243.25] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:37 SMTP call from [112.94.253.241] dropped: too many unrecognized commands (last was "")
2024-02-08 11:18:53 login authenticator failed for (7.lifedns.com.br) [177.72.87.7]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 11:19:13 login authenticator failed for ([185.246.255.235]) [185.246.255.235]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 12:12:07 login authenticator failed for (static.vnpt.vn) [113.161.40.240]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 12:13:18 login authenticator failed for (71.58.221.60.adsl-pool.sx.cn) [60.221.58.71]: 535 Incorrect authentication data (set_id=admin)
[root@srv8 ~]#
Code: Select all
[root@srv8 ~]# ls -la /var/spool/exim/
total 4
drwxr-x--- 6 mail mail 120 Feb 6 18:57 .
drwxr-xr-x. 11 root root 4096 Feb 6 13:09 ..
drwxr-x--- 2 mail mail 160 Feb 6 18:57 db
drwxr-x--- 64 mail mail 1280 Feb 6 18:00 input
drwxr-x--- 64 mail mail 1280 Feb 6 18:00 msglog
drwxr-x--- 2 mail mail 40 Feb 8 03:05 scan
[root@srv8 ~]#
More security improvement will be added in the next future development.