The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

block IP addresses right away

Discussion in 'E-mail Discussions' started by sehh, Dec 1, 2007.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Currently, exim rejects an email if an IP address in the headers of the email is in an RBL (zen, spamcop).

    How can we modify exim, to also check the originating IP address of the connection and to drop it right away, without even starting an SMTP conversation?

    I've seen this feature in a few servers, once the connection is made at the TCPIP level, exim checks the IP address of the remote host with an RBL, if the IP is listed then exim drops the connection right away without any further communication.

    This lowers the effects of spam on servers, high cpu usage, high memory usage, etc by running the entire communication with the spammer and scanning the email (with SA, ClamAV, etc).

    Anyone knows how to do this?


    PS:
    once an IP is found not to be listed then everything else works as before, the headers of the email are still scanned and the IPs also checked against RBLs. So this part isn't affected, it remains the same.
     
  2. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    you can use chirpy's excellent firewall and block IPs at connection time.
    Install csf and read the instruction, you will find how to keep a list of banned IPs (not only for mail reasons)
     
  3. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    what firewall do you use to protect your server ?
     
  4. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    It seems that script can do the job, unfortunately i don't want to install any 3rd party scripts, i've already seen too many remote exploits in them (intentional or accidental).

    Thats why i was looking for something that works in exim, maybe some simple configuration changes or something similar.
     
  5. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    so, how do you protect your server?
    what firewall do you use ?
     
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    iptables, i'm using CentOS 4.5.

    i've created several scripts which automatically ban IP addresses, one of them listens for connections to unused ports, another scans logs (exim logs, cpanel logs, ssh logs, etc). Once one of my scripts needs to block an IP it executes iptables and adds a reject rule.
     
  7. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    well, csf is (imho) just a good iptables wrapper.

    - csf closes all ports but needed ones (yet you do not have to monitor connections to unused ports, as you state above)
    - monitors the visiting IP against public blacklists (dshield, for instance), saving you great time and resources
    - gives you freedom to use other personal lists (here you can quick add offending IPs)
    - has a built-in scanner (lfd) that scans and blocks (permanent or temporarily) suspect IPs; the monitored resoureces are: ssh login attempts, pop3/imap/smtp login attempts, too-many-connections attempts, http auth attempts, mod_security errors and more

    so, why should I develop several scripts, when this script is just what I need ?

    my 2c
     
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    for two reasons:

    1) i don't trust 3rd party scripts floating around the net. Already seen too many of them with intentional or accidental remote exploits (like XMLRPC, *nuke CMS's, joomla plugins, etc etc).

    2) my scripts already do all the features you stated, except from blocking at connection time. Which is something i need for exim only (port 25).
     
  9. gupi

    gupi Well-Known Member

    Joined:
    Apr 27, 2004
    Messages:
    125
    Likes Received:
    0
    Trophy Points:
    16
    Exim is a 3rd party script floating around the net, how comes that you trust it ?


    csf is open; you can always re-create the desired scripts, based on it.

    anyway, I do not want to start a flame, good luck in your decision.
     
  10. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I trust exim because it comes from a reputable team of developers, it has gone through code review and its not "a script floating around the net".

    I may download csf and copy parts of the code that are relevant to me, thanks for the idea :)

    Oh no worries, there is no flame, we are just debating our cases. Unfortunately, i've found too many remote exploits in "common" software that many people use, it was a great revelation which proves why bot nets are so big. At first i thought that they were mostly vulnerable Windoze computers used by people who don't know much about computers. Thats not the case anymore, indeed a bot net has a large number of those, but now their owners started adding exploits to known open source (and some closed source) applications.

    I remember some time ago when one of my clients was hit by such an open source web application, i noticed the server sending large amounts of emails and traced it down to his gallery script. The author had coded a remote mailer, which worked by an HTTP POST request. The contents of the php array contained the email address to send the email and the body of the email.

    I also checked other well known apps, some closed source. Some were clocked as screensavers for windoze, which the attackers spread via email. Another popular script is XMLPRC, when i first read the code it was obvious it was "remote exploit heaven", probably done on purpose. Of course the many developers that included it in their software (Wordpress, etc) patched it many many times but harm was already done.

    Anyway, i'm blabbering at this point so i'll drop the subject and go back to blocking IP addresses.
     
  11. mpeacock

    mpeacock Member

    Joined:
    Feb 1, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    I'm using Chirpy's firewall, but not to block IP addresses in smtp connects.

    Intstead, I added a couple ACL rules found here: http://wiki.exim.org/SpamFiltering

    Particularly, the HELO fixes allowed exim to drastically reduce the number of spam connects by dropping the SMTP connection as soon as it saw an IP address rather than a FQDN in the HELO line.

    Here's what I added. I added these using the Advanced exim config editor in the ACL section immediately after the lines:

    Code:
    [% ACL_RATELIMIT_BLOCK %]
    
      accept  hosts = :
    
    
    - - you're mileage may vary:

    Code:
    # The following are ACLs taken from http://wiki.exim.org/AclHeloTricks 
    # Drop if HELO is an IP address
    
    drop
        condition   = ${if isip{$sender_helo_name}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.3)
    
    
    # HELO is neither FQDN nor address literal
    
    drop
        # Required because "[IPv6:<address>]" will have no .s
        condition   = ${if match{$sender_helo_name}{\N^\[\N}{no}{yes}}
        condition   = ${if match{$sender_helo_name}{\N\.\N}{no}{yes}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    
    
    drop
        condition   = ${if match{$sender_helo_name}{\N\.$\N}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    
    
    drop
        condition   = ${if match{$sender_helo_name}{\N\.\.\N}}
        message     = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    
    
    # Drop if impersonating our server
    
    drop  
          condition = ${if match{$sender_helo_name}{$primary_hostname}}
          message   = REJECTED - Bad HELO - Host impersonating [$sender_helo_name]
    
    
    
    Hope this helps.

    Cheers, Michael
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    So you don't run perl? Or Exim? or PHP? They're all developed by "third parties". In general, I agree with you, having found many exploitable scripts in user accounts over the years.

    So the key issue isn't that they're a third party, the issue is that the author provably knows their stuff. Chirpy, the author of CSF, is recognized as a worldwide cpanel expert and CSF is kept maintained on a regular basis. Used on thousands of servers around the planet, it has taken over from APF as the standard firewall script on cpanel servers. Check it out, you'll find it's very thorough and robust. I've known Chirpy for 4 years or so and he knows his stuff (as a sysadmin for 25 years, I'm in a position to recognize competency!). Reimplement if you like, but it's a big waste of time in this case.
     
  13. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    I'm even using CSF on a bunch of non-cpanel servers.... it's rock solid.


    On the note of using his code:

    So, I'd ask before slurping the code....
     
  14. capoti

    capoti Active Member

    Joined:
    Mar 25, 2006
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    I can't send email when I installed these rules on cpanle 11. any idea?
     
Loading...

Share This Page