The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Closing smtp ports question

Discussion in 'E-mail Discussions' started by keat63, Feb 28, 2017.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm fed up of checking my logs daily to find brute force login attempts on emails, some times as many as 50 over night.
    So in CSF I closed ports 110,143,220,465,587,993,995 to all but my home country code.

    Either this is working to a point, or the hackers got bored and moved on.
    However, if it is working, then I'm still seeing a very small number, but I've no ideas why.

    Code:
    2017-02-28 02:41:29 SMTP connection from [xxx.xx.xxx.xxx]:50841 (TCP/IP connection count = 1)
    2017-02-28 02:41:30 no host name found for IP address xxx.xx.xxx.xxx
    2017-02-28 02:41:50 no host name found for IP address xxx.xx.xxx.xxx
    2017-02-28 02:41:52 no host name found for IP address xxx.xx.xxx.xxx
    2017-02-28 02:41:58 dovecot_plain authenticator failed for ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841: 535 Incorrect authentication data (set_id=user)
    2017-02-28 02:42:00 SMTP connection from ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841 lost
    2017-02-28 02:42:01 SMTP connection from [xxx.xx.xxx.xxx]:54329 (TCP/IP connection count = 1)
    2017-02-28 02:42:01 no host name found for IP address xxx.xx.xxx.xxx
    2017-02-28 02:45:06 SMTP command timeout on connection from [xxx.xx.xxx.xxx]:54329
    
    How would I find which port they might be using, so I can close this one too ??
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to review your cPanel and Apache access logs for those IP addresses to see if they were accessing Webmail, or a script on a website, in order to send an email via SMTP.

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I don't see anything in cpanel or apache logs.

    Here's another, the IP being in Indonesia, so should be blocked.

    Code:
    2017-03-06 01:26:38 SMTP connection from [xxx.xxx.xxx.xxx]:37292 (TCP/IP connection count = 1)
    2017-03-06 01:27:01 dovecot_plain authenticator failed for host112.subnet.xxxx.net.id (svrwebprodi112.zzzzzz.ac.id) [xxx.xxx.xxx.xxx]:37292: 535 Incorrect authentication data (set_id=user@mydomain.co.uk)
    2017-03-06 01:27:01 SMTP connection from host112.subnet.xxxx.net.id (abcdef.ghijk.ac.id) [xxx.xxx.xxx.xxx]:37292 lost
    2017-03-06 01:27:03 SMTP connection from [xxx.xxx.xxx.xxx]:40553 (TCP/IP connection count = 1)
    2017-03-06 01:30:08 SMTP command timeout on connection from host112.subnet.xxxx.net.id [xxx.xxx.xxx.xxx]:40553
    
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    is it possible that these login requests are coming via port 25
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, it's possible if you have not applied the same firewall rules to port 25. If you decide to do so, ensure you leave the outgoing traffic over port 25 open to allow your mail server the ability to connect to remote mail servers over port 25.

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    But if i close incoming port 25, then no mailserver will be able to establish a connection with me ??
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Right, you'd only receive email from servers that you whitelist. The following post explains how this works:

    change port 25

    It's likely a better option to simply manually block the remaining IP addresses you notice making failed login attempts.

    Thank you.
     
  8. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    875
    Likes Received:
    25
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    CSF is already taking care of this, however, it's annoying as I don't know how I'm still receiving failed smtp authentications when I already closed ports 110,143,220,465,587,993,995.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    It's likely happening over port 25 as you suggested. You may also find section 26 (Exim SMTP AUTH Restriction) on the CSF ReadMe helpful if you have not already enabled this SMTP authentication configuration:

    https://download.configserver.com/csf/readme.txt

    Beyond that, it's difficult to prevent all connection/authentication attempts without also blocking potentially legitimate requests.

    Thank you.
     
Loading...

Share This Page