Security Server Improvement.

Your new/first Tips, tricks and tutorial forum.
Post Reply
User avatar
admin
Site Admin
Posts: 32
Joined: March 7th, 2022, 1:09 am

Security Server Improvement.

Post by admin »

Hello Everyone!

To make our server running faster (Server Network Bandwidth Speed has been upgraded to 1 GBps(Gigabyte) / second),
more secure and confortable to use... (RAM has been Added with 16 gb too)
I've decided to use Apache with Light Speed PHP (lsphp) rather then features from CGI, FCGI, PHP-FPM and NGINX.

Since my server is using OS: The latest stable CloudLinux base kernel Server

Code: Select all

[root@srv8 ~]# hostnamectl
   Static hostname: srv8.jsalfianmarketing.com
         Icon name: computer-server
           Chassis: server
        Machine ID: bf4742a85c4148e08f755e4d7803f9c7
           Boot ID: 6ee22a840e254d19be952e79964d4417
  Operating System: CloudLinux 8.10 (Vladimir Aksyonov)
       CPE OS Name: cpe:/o:cloudlinux:cloudlinux:8.10:GA:server
            Kernel: Linux 4.18.0-553.22.1.lve.1.el8.x86_64
      Architecture: x86-64
[root@srv8 ~]#
I've already installed Mod_lsapi to improve server performance of PHP sites from CloudLinux Os.
For reference:
https://www.cloudlinux.com/getting-star ... iguration/

I've also configured Config Server Firewall (csf for DirectAdmin Panel Server) - Firewall module tools for every time login failure session attemp (LF_TRIGGER) from https://waytotheweb.com which is integrated with Directadmin Brute Force Monitoring Tools to the server for:
- login authenticator
- smtpauth
- dovecot
- lmtp
- pop3d
- sshd
- ftpd
- eximsyntax
- imapd
- Annoying mailicious massive exploit Scan Port activity

That's why we've been using JavaScript, TLS http:// rather than SSL https:// and you should allow to show pictures and white list our domains to get credits in all of our credit mailer links... and every time login failure session attemp (LF_TRIGGER) trigger to reach my server sources... the Firewall module will took the place... :D
This trick was used to trap all of the hackers and spammers, abuser that tried to use apps module: dovecot and pop3 to fecth the source of data from all of our mailer scripts... :lol: (TLS credential certificate will never be shared by admin... That's for sure!).
Have take a look!

Code: Select all

2024-11-08 16:01:02 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2024-11-08 16:19:34 TLS error on connection from [27.147.153.138] (SSL_accept): (TLSv1)
2024-11-08 16:19:35 TLS error on connection from [176.241.89.210] (SSL_accept): (TLSv1)
2024-11-08 16:19:37 TLS error on connection from [209.203.63.8] (SSL_accept): (TLSv1)
...
...
2024-11-08 16:50:42 TLS error on connection from [41.215.28.234] (SSL_accept): (TLSv1)
2024-11-08 16:50:50 TLS error on connection from [41.84.141.86] (SSL_accept): (TLSv1)
2024-11-08 16:51:04 TLS error on connection from [41.215.28.234] (SSL_accept): (TLSv1)
...
...
2024-11-08 20:23:44 TLS error on connection from [139.59.152.85] (SSL_accept): (SSLv3)
2024-11-08 20:24:05 TLS error on connection from [139.59.159.80] SSL_accept: TCP connection closed by peer
...
...
2024-11-08 21:28:29 TLS error on connection from azpdesb64.stretchoid.com [4.156.21.164] (SSL_accept): (TLSv1.3)
2024-11-08 21:54:15 TLS error on connection from azpdsg45.stretchoid.com [172.202.158.131] (SSL_accept): (TLSv1.3)
Blocklist chain from the lists below have been integrated with CSF Firewall too:
- MaxMind GeoIP Anonymous Proxies from : https://www.maxmind.com/en/anonymous_proxies
- BruteForceBlocker - Its main purpose is to block SSH bruteforce attacks https://danger.rulez.sk/index.php/bruteforceblocker/
- Stop Forum Spam from : http://www.stopforumspam.com/
- GreenSnow Hack List from : https://greensnow.co
- AbuseIPDB blacklist from : https://docs.abuseipdb.com/#blacklist-endpoint
- TOR Exit Nodes List from : https://trac.torproject.org/projects/to ... NSExitList
- HONEYPOT - identifying Dictionary Attacker IPs from : https://www.projecthoneypot.org

Code: Select all

May 16 15:38:21 srv8 lfd[1321179]: Retrieved and blocking blocklist GREENSNOW IP address ranges
May 16 15:38:22 srv8 lfd[1321179]: IPSET: loading set new_GREENSNOW with 3766 entries
May 16 15:38:22 srv8 lfd[1321179]: IPSET: switching set new_GREENSNOW to bl_GREENSNOW
May 16 15:38:22 srv8 lfd[1321179]: IPSET: loading set new_6_GREENSNOW with 0 entries
May 16 15:38:22 srv8 lfd[1321179]: IPSET: switching set new_6_GREENSNOW to bl_6_GREENSNOW

May 16 23:09:49 srv8 lfd[1486900]: Retrieved and blocking blocklist ABUSEIPDB IP address ranges
May 16 23:09:49 srv8 lfd[1486900]: IPSET: loading set new_ABUSEIPDB with 8652 entries
May 16 23:09:49 srv8 lfd[1486900]: IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB
May 16 23:09:49 srv8 lfd[1486900]: IPSET: loading set new_6_ABUSEIPDB with 8 entries
May 16 23:09:49 srv8 lfd[1486900]: IPSET: switching set new_6_ABUSEIPDB to bl_6_ABUSEIPDB

Dec 18 06:59:02 srv8 lfd[787135]: Retrieved and blocking blocklist MAXMIND IP address ranges
Dec 18 06:59:02 srv8 lfd[787135]: IPSET: loading set new_MAXMIND with 324 entries
Dec 18 06:59:02 srv8 lfd[787135]: IPSET: switching set new_MAXMIND to bl_MAXMIND
Dec 18 06:59:02 srv8 lfd[787135]: IPSET: loading set new_6_MAXMIND with 0 entries
Dec 18 06:59:02 srv8 lfd[787135]: IPSET: switching set new_6_MAXMIND to bl_6_MAXMIND

May 16 23:24:52 srv8 lfd[1489798]: Retrieved and blocking blocklist STOPFORUMSPAM IP address ranges
May 16 23:24:52 srv8 lfd[1489798]: CC: Unzipped Blocklist STOPFORUMSPAM [/var/lib/csf/csf.block.STOPFORUMSPAM.zip]
May 16 23:24:52 srv8 lfd[1489798]: IPSET: loading set new_STOPFORUMSPAM with 3981 entries
May 16 23:24:52 srv8 lfd[1489798]: IPSET: switching set new_STOPFORUMSPAM to bl_STOPFORUMSPAM

Jun  2 21:15:04 srv8 lfd[3915398]: Retrieved and blocking blocklist BFB IP address ranges
Jun  2 21:15:04 srv8 lfd[3915398]: IPSET: loading set new_BFB with 241 entries
Jun  2 21:15:04 srv8 lfd[3915398]: IPSET: switching set new_BFB to bl_BFB
Jun  2 21:15:04 srv8 lfd[3915398]: IPSET: loading set new_6_BFB with 0 entries
Jun  2 21:15:04 srv8 lfd[3915398]: IPSET: switching set new_6_BFB to bl_6_BFB

Dec 18 04:37:43 srv8 lfd[702283]: Retrieved and blocking blocklist TOR IP address ranges
Dec 18 04:37:43 srv8 lfd[702283]: IPSET: loading set new_TOR with 738 entries
Dec 18 04:37:43 srv8 lfd[702283]: IPSET: switching set new_TOR to bl_TOR
Dec 18 04:37:43 srv8 lfd[702283]: IPSET: loading set new_6_TOR with 0 entries
Dec 18 04:37:43 srv8 lfd[702283]: IPSET: switching set new_6_TOR to bl_6_TOR

Dec 22 03:15:27 srv8 lfd[2362188]: Retrieved and blocking blocklist HONEYPOT IP address ranges
Dec 22 03:15:27 srv8 lfd[2362188]: IPSET: loading set new_HONEYPOT with 92 entries
Dec 22 03:15:27 srv8 lfd[2362188]: IPSET: switching set new_HONEYPOT to bl_HONEYPOT
Dec 22 03:15:27 srv8 lfd[2362188]: IPSET: loading set new_6_HONEYPOT with 8 entries
Dec 22 03:15:27 srv8 lfd[2362188]: IPSET: switching set new_6_HONEYPOT to bl_6_HONEYPOT
And working correctly...
my server will blocking instantly all of the hackers, spammers, Scammers, malware and Spoofing/Phishing Attacks (Cybercriminals Attacker) from all over the world, that have been tried to attempt to reaching out our server with bad habit within seconds.
Have take a look:

Code: Select all

[root@srv8 ~]# tail -n 30 /var/log/lfd.log
Feb  8 00:00:03 srv8 lfd[1650618]: Directory Watching...
Feb  8 00:00:03 srv8 lfd[1650618]: Email Relay Tracking...
Feb  8 00:00:03 srv8 lfd[1650618]: Temp to Perm Block Tracking...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/phpMyAdmin/log/auth.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/customlog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/exim/mainlog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/directadmin/login.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/messages...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/squirrelmail/data/squirrelmail_access_log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/maillog...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/www/html/roundcube/logs/errors.log...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/secure...
Feb  8 00:00:03 srv8 lfd[1650618]: Watching /var/log/httpd/error_log...
Feb  8 00:10:13 srv8 lfd[1652421]: (sshd) Failed SSH login from 129.146.162.206 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 00:28:10 srv8 lfd[1657434]: (smtpauth) Failed SMTP AUTH login from 124.136.29.20 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 00:28:55 srv8 lfd[1657556]: (smtpauth) Failed SMTP AUTH login from 122.11.169.112 (SG/Singapore/122.11.169-112.unknown.starhub.net.sg): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:24:24 srv8 lfd[1666148]: (ftpd) Failed FTP login from 49.43.115.135 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:37:26 srv8 lfd[1668178]: (ftpd) Failed FTP login from 103.123.78.21 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 01:55:44 srv8 lfd[1670798]: (sshd) Failed SSH login from 34.170.15.98 (US/United States/98.15.170.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:12:22 srv8 lfd[1673501]: (smtpauth) Failed SMTP AUTH login from 12.207.244.211 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:12:38 srv8 lfd[1673554]: (smtpauth) Failed SMTP AUTH login from 222.179.102.210 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:14:23 srv8 lfd[1673802]: (smtpauth) Failed SMTP AUTH login from 102.165.14.139 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:32:52 srv8 lfd[1676620]: (eximsyntax) Exim syntax errors from 118.193.58.187 (DE/Germany/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:38:57 srv8 lfd[1677524]: (smtpauth) Failed SMTP AUTH login from 111.10.223.169 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 02:39:17 srv8 lfd[1677607]: (smtpauth) Failed SMTP AUTH login from 41.79.50.242 (GQ/Equatorial Guinea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:07:28 srv8 lfd[1704294]: (smtpauth) Failed SMTP AUTH login from 102.165.14.140 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:37:44 srv8 lfd[1756825]: (sshd) Failed SSH login from 157.245.154.124 (SG/Singapore/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:54:17 srv8 lfd[1759242]: (smtpauth) Failed SMTP AUTH login from 27.72.155.221 (dynamic-adsl.viettel.vn): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:54:57 srv8 lfd[1759397]: (smtpauth) Failed SMTP AUTH login from 191.36.156.53 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 04:55:07 srv8 lfd[1759506]: (sshd) Failed SSH login from 14.32.241.81 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:02:21 srv8 lfd[1770132]: (sshd) Failed SSH login from 175.206.96.178 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:14:26 srv8 lfd[1772079]: (smtpauth) Failed SMTP AUTH login from 23.95.86.94 (CA/Canada/solicitously.mutemeet.net): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:50:32 srv8 lfd[1777483]: (sshd) Failed SSH login from 222.111.179.159 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 06:53:38 srv8 lfd[1777909]: (smtpauth) Failed SMTP AUTH login from 192.227.144.43 (US/United States/192-227-144-43-host.colocrossing.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:03:40 srv8 lfd[1779439]: (smtpauth) Failed SMTP AUTH login from 60.8.223.58 (CN/China/hebei.8.60.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:04:00 srv8 lfd[1779512]: (smtpauth) Failed SMTP AUTH login from 120.193.223.46 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:05:55 srv8 lfd[1779858]: (ftpd) Failed FTP login from 103.26.81.177 (PK/Pakistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:28:08 srv8 lfd[1783286]: (sshd) Failed SSH login from 64.62.197.107 (US/United States/107.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:43:46 srv8 lfd[1785558]: (smtpauth) Failed SMTP AUTH login from 191.36.152.28 (BR/Brazil/vipturbo.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:54:49 srv8 lfd[1834070]: (smtpauth) Failed SMTP AUTH login from 91.244.113.156 (RU/Russia/91.244.113.156.wirenet.tv): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 07:55:10 srv8 lfd[1835671]: (smtpauth) Failed SMTP AUTH login from 117.187.89.145 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 08:23:25 srv8 lfd[2029191]: (sshd) Failed SSH login from 64.62.197.127 (US/United States/127.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:00:51 srv8 lfd[2047537]: (ftpd) Failed FTP login from 34.140.130.61 (BE/Belgium/61.130.140.34.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:01:57 srv8 lfd[2047700]: (ftpd) Failed FTP login from 35.190.199.12 (BE/Belgium/12.199.190.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:07:30 srv8 lfd[2048805]: (ftpd) Failed FTP login from 35.240.121.17 (BE/Belgium/17.121.240.35.bc.googleusercontent.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:17:15 srv8 lfd[2050301]: (sshd) Failed SSH login from 121.178.230.152 (KR/South Korea/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:23:56 srv8 lfd[2051263]: (sshd) Failed SSH login from 87.103.104.96 (PT/Portugal/96.104.103.87.rev.vodafone.pt): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:53:03 srv8 lfd[2090315]: (smtpauth) Failed SMTP AUTH login from 210.177.148.45 (HK/Hong Kong/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:53:33 srv8 lfd[2094714]: (smtpauth) Failed SMTP AUTH login from 210.18.182.188 (IN/India/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 09:54:18 srv8 lfd[2101298]: (ftpd) Failed FTP login from 165.154.163.113 (US/United States/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:18:42 srv8 lfd[2242935]: (smtpauth) Failed SMTP AUTH login from 188.32.109.40 (RU/Russia/broadband-188-32-109-40.ip.moscow.rt.ru): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:18:56 srv8 lfd[2244067]: (smtpauth) Failed SMTP AUTH login from 42.98.116.229 (HK/Hong Kong/42-98-116-229.static.netvigator.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:20:42 srv8 lfd[2252190]: (sshd) Failed SSH login from 64.62.197.211 (US/United States/211.0-24.197.62.64.in-addr.arpa): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:24:38 srv8 lfd[2269099]: (eximsyntax) Exim syntax errors from 58.48.226.61 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 10:24:38 srv8 lfd[2269100]: (eximsyntax) Exim syntax errors from 125.82.243.25 (CN/China/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:18:57 srv8 lfd[2280252]: (smtpauth) Failed SMTP AUTH login from 177.72.87.7 (BR/Brazil/7.lifedns.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:19:17 srv8 lfd[2280338]: (smtpauth) Failed SMTP AUTH login from 185.246.255.235 (IL/Israel/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:29:09 srv8 lfd[2281825]: (ftpd) Failed FTP login from 189.113.4.60 (BR/Brazil/sistemaev.com.br): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 11:43:49 srv8 lfd[2284011]: (ftpd) Failed FTP login from 31.148.250.165 (BY/Belarus/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Feb  8 12:01:00 srv8 lfd[2286671]: (ftpd) Failed FTP login from 185.203.236.130 (UZ/Uzbekistan/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
[root@srv8 ~]#
And the BLOCK_REPORT session will be timed out after 10 seconds and reporting the abuser succeeded and logged to AbuseIPDB.Com database Automatically!
For example: https://www.abuseipdb.com/check/87.64.71.57
For the reference: https://www.abuseipdb.com/csf
Such like these: (tail -F /var/log/lfd.log)

Code: Select all

Nov 16 05:14:11 srv8 lfd[286367]: (smtpauth) Failed SMTP AUTH login from 63.47.182.94 (US/United States/host94.sub-63-47-182.myvzw.com): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Nov 16 05:14:21 srv8 lfd[286389]: BLOCK_REPORT timed out after 10 seconds
Nov 16 05:14:51 srv8 lfd[286535]: (smtpauth) Failed SMTP AUTH login from 37.112.182.113 (RU/Russia/37x112x182x113.dynamic.barnaul.ertelecom.ru): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Nov 16 05:15:01 srv8 lfd[286557]: BLOCK_REPORT timed out after 10 seconds
Nov 16 05:21:52 srv8 lfd[288280]: (smtpauth) Failed SMTP AUTH login from 78.33.74.214 (GB/United Kingdom/78-33-74-214.static.enta.net): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Nov 16 05:22:02 srv8 lfd[288301]: BLOCK_REPORT timed out after 10 seconds
Nov 16 05:45:15 srv8 lfd[292572]: (sshd) Failed SSH login from 87.64.71.57 (BE/Belgium/57.71-64-87.adsl-dyn.isp.belgacom.be): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Nov 16 05:45:25 srv8 lfd[292594]: BLOCK_REPORT timed out after 10 seconds
Nov 16 06:01:08 srv8 lfd[295929]: (smtpauth) Failed SMTP AUTH login from 62.97.214.11 (NO/Norway/-): 1 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Nov 16 06:01:18 srv8 lfd[295950]: BLOCK_REPORT timed out after 10 seconds

Code: Select all

[root@srv8 ~]# tail -n 30 /var/log/exim/rejectlog
2024-02-07 21:47:42 login authenticator failed for ([117.158.161.98]) [117.158.161.98]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:48:15 login authenticator failed for ([185.207.129.246]) [185.207.129.246]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:55:37 login authenticator failed for (static.vnpt.vn) [113.160.203.147]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 21:55:51 login authenticator failed for (static.vnpt.vn) [113.175.240.142]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 21:58:10 SMTP call from scan-54b.shadowserver.org [65.49.1.39] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 21:58:25 SMTP call from [65.49.1.62] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-07 22:32:23 login authenticator failed for ([183.215.1.244]) [183.215.1.244]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-07 22:32:39 login authenticator failed for ([196.20.104.226]) [196.20.104.226]: 535 Incorrect authentication data (set_id=admin)
2024-02-07 22:53:32 login authenticator failed for (192-3-198-20-host.colocrossing.com) [192.3.198.20]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 00:28:06 login authenticator failed for ([114.53.252.254]) [124.136.29.20]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 00:28:50 login authenticator failed for (122.11.169-112.unknown.starhub.net.sg) [122.11.169.112]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 00:58:03 SMTP call from scan-19.shadowserver.org [65.49.20.68] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 02:12:21 login authenticator failed for ([12.207.244.211]) [12.207.244.211]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:12:35 login authenticator failed for ([222.179.102.210]) [222.179.102.210]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 02:14:21 login authenticator failed for (102.165.14.139) [102.165.14.139]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 02:32:46 SMTP call from [118.193.58.187] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 02:38:52 login authenticator failed for ([111.10.223.169]) [111.10.223.169]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 02:39:15 login authenticator failed for ([41.79.50.242]) [41.79.50.242]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 03:46:08 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 03:47:34 SMTP call from scan-59a.shadowserver.org [65.49.1.108] dropped: too many unrecognized commands (last was "Accept: */*")
2024-02-08 03:58:52 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:02:01 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:07:23 login authenticator failed for (localhost) [102.165.14.140]: 535 Incorrect authentication data (set_id=admin@marketer-safelist.com)
2024-02-08 04:26:09 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:52:56 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 04:54:15 login authenticator failed for (static.vnpt.vn) [27.72.155.221]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 04:54:52 login authenticator failed for (vipturbo.com.br) [191.36.156.53]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 05:08:44 H=([128.65.164.36]) [128.65.164.36] F=<smtp_01@wikipedia.org> rejected RCPT <sales@lixinmetal.cn>: authentication required
2024-02-08 09:53:30 login authenticator failed for ([210.18.182.188]) [210.18.182.188]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:18:38 login authenticator failed for broadband-188-32-109-40.ip.moscow.rt.ru [188.32.109.40]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 10:18:55 login authenticator failed for 42-98-116-229.static.netvigator.com [42.98.116.229]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 10:24:34 SMTP call from [58.48.226.61] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:36 SMTP call from [125.82.243.25] dropped: too many syntax or protocol errors (last command was "?", NULL)
2024-02-08 10:24:37 SMTP call from [112.94.253.241] dropped: too many unrecognized commands (last was "")
2024-02-08 11:18:53 login authenticator failed for (7.lifedns.com.br) [177.72.87.7]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 11:19:13 login authenticator failed for ([185.246.255.235]) [185.246.255.235]: 535 Incorrect authentication data (set_id=admin)
2024-02-08 12:12:07 login authenticator failed for (static.vnpt.vn) [113.161.40.240]: 535 Incorrect authentication data (set_id=admin@mailersafelist.com)
2024-02-08 12:13:18 login authenticator failed for (71.58.221.60.adsl-pool.sx.cn) [60.221.58.71]: 535 Incorrect authentication data (set_id=admin)
2024-12-07 13:43:39 H=([213.230.87.190]) [213.230.87.190] F=<JohnBlue@hola.com> rejected RCPT <admin@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-07 15:30:25 H=(habitatwarm.best) [194.1.192.3] F=<contact@habitatwarm.best> rejected RCPT <jerry.salfian@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-07 16:42:35 H=(privilegeflimsy.best) [194.1.192.13] F=<memorybreakthrough@privilegeflimsy.best> rejected RCPT <jerry.salfian@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-17 10:50:05 H=(dr3qm.cn) [165.154.205.177] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=no F=<faq.mizuhobank.co.jp1@dr3qm.cn> rejected RCPT <admin@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-18 11:11:02 H=optimaltherapies.best [51.158.20.224] F=<powerperformance@optimaltherapies.best> rejected RCPT <jerry.salfian@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-18 11:22:05 H=mout-xforward.gmx.net [82.165.159.14] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no F=<cyndyjusto1998@gmx.us> rejected RCPT <admin@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-18 12:11:53 H=integrativealliance.best [51.158.44.20] F=<support@integrativealliance.best> rejected RCPT <jerry.salfian@marketer-safelist.com>: 554 denied. 5.7.1 Domain Blocked due to SPAM
2024-12-18 16:03:49 H=1-tor-exit.spooky69.eu (localhost) [193.218.118.91] F=<test1@funteensex.com> rejected RCPT <vgarcia@marketer-safelist.com>: R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
[root@srv8 ~]#
Since We're using Google Send Mail Transport Protocol - gsmtp to send all of emails from our server to all of our members, All of emails from my server should be scanning first by ClamAv Scanner plugin (AntiVirus, AntiMalware, etc.), It will take a bit more times (slower) to delivering all of emails sent from our server to all of gmail members inbox.

CustomBuild permissions for these service modules have been granted:

Code: Select all

[root@srv8 ~]# ls -la /var/spool/exim/
total 4
drwxr-x---   6 mail mail  120 Feb  6 18:57 .
drwxr-xr-x. 11 root root 4096 Feb  6 13:09 ..
drwxr-x---   2 mail mail  160 Feb  6 18:57 db
drwxr-x---  64 mail mail 1280 Feb  6 18:00 input
drwxr-x---  64 mail mail 1280 Feb  6 18:00 msglog
drwxr-x---   2 mail mail   40 Feb  8 03:05 scan
[root@srv8 ~]#
Screenshot results:
Image Image Image Image

Image Image Image

Regularly... have been already checked within 103 RBL's and Gmail Postmaster Compliance tools too !!!
For RBL's screenshot... You might need to open these images below in the new tab for sure, Then pointing your cursor to the image you've choosen, right click the image to get the direction option (Firefox and Google Chrome Browser) and choose "open the image in the new tab", lastly... "click the image to maximize".
Image Image Image Image Image Image Image

More security improvement will be added in the next future development.
Post Reply