Closing smtp ports question

[keat63]

I'm fed up of checking my logs daily to find brute force login attempts on emails, some times as many as 50 over night.
So in CSF I closed ports 110,143,220,465,587,993,995 to all but my home country code.

Either this is working to a point, or the hackers got bored and moved on.
However, if it is working, then I'm still seeing a very small number, but I've no ideas why.

2017-02-28 02:41:29 SMTP connection from [xxx.xx.xxx.xxx]:50841 (TCP/IP connection count = 1)
2017-02-28 02:41:30 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:50 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:52 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:41:58 dovecot_plain authenticator failed for ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841: 535 Incorrect authentication data (set_id=user)
2017-02-28 02:42:00 SMTP connection from ([127.0.0.1]) [xxx.xx.xxx.xxx]:50841 lost
2017-02-28 02:42:01 SMTP connection from [xxx.xx.xxx.xxx]:54329 (TCP/IP connection count = 1)
2017-02-28 02:42:01 no host name found for IP address xxx.xx.xxx.xxx
2017-02-28 02:45:06 SMTP command timeout on connection from [xxx.xx.xxx.xxx]:54329

How would I find which port they might be using, so I can close this one too ??

 

[cPanelMichael]

Hello,

You may want to review your cPanel and Apache access logs for those IP addresses to see if they were accessing Webmail, or a script on a website, in order to send an email via SMTP.

Thank you.

 

[keat63]

I don't see anything in cpanel or apache logs.

Here's another, the IP being in Indonesia, so should be blocked.

2017-03-06 01:26:38 SMTP connection from [xxx.xxx.xxx.xxx]:37292 (TCP/IP connection count = 1)
2017-03-06 01:27:01 dovecot_plain authenticator failed for host112.subnet.xxxx.net.id (svrwebprodi112.zzzzzz.ac.id) [xxx.xxx.xxx.xxx]:37292: 535 Incorrect authentication data ([email protected])
2017-03-06 01:27:01 SMTP connection from host112.subnet.xxxx.net.id (abcdef.ghijk.ac.id) [xxx.xxx.xxx.xxx]:37292 lost
2017-03-06 01:27:03 SMTP connection from [xxx.xxx.xxx.xxx]:40553 (TCP/IP connection count = 1)
2017-03-06 01:30:08 SMTP command timeout on connection from host112.subnet.xxxx.net.id [xxx.xxx.xxx.xxx]:40553

 

[keat63]

is it possible that these login requests are coming via port 25

 

[cPanelMichael]

Hello,

Yes, it's possible if you have not applied the same firewall rules to port 25. If you decide to do so, ensure you leave the outgoing traffic over port 25 open to allow your mail server the ability to connect to remote mail servers over port 25.

Thank you.

 

[keat63]

But if i close incoming port 25, then no mailserver will be able to establish a connection with me ??

 

[cPanelMichael]

But if i close incoming port 25, then no mailserver will be able to establish a connection with me ??

Right, you'd only receive email from servers that you whitelist. The following post explains how this works:

change port 25

It's likely a better option to simply manually block the remaining IP addresses you notice making failed login attempts.

Thank you.

 

[keat63]

CSF is already taking care of this, however, it's annoying as I don't know how I'm still receiving failed smtp authentications when I already closed ports 110,143,220,465,587,993,995.

 

[cPanelMichael]

CSF is already taking care of this, however, it's annoying as I don't know how I'm still receiving failed smtp authentications when I already closed ports 110,143,220,465,587,993,995.

It's likely happening over port 25 as you suggested. You may also find section 26 (Exim SMTP AUTH Restriction) on the CSF ReadMe helpful if you have not already enabled this SMTP authentication configuration:

https://download.configserver.com/csf/readme.txt

Beyond that, it's difficult to prevent all connection/authentication attempts without also blocking potentially legitimate requests.

Thank you.

 

[keat63]

This is still onging.


2017-10-09 16:12:16 SMTP connection from [xxx.xxx.xxx.xx]:51334 (TCP/IP connection count = 1)
2017-10-09 16:12:21 dovecot_plain authenticator failed for (127.0.0.1) [xxx.xxx.xxx.xx]:51334: 535 Incorrect authentication data ([email protected]domain.com)
2017-10-09 16:12:27 SSL_write: (from (127.0.0.1) [xxx.xxx.xxx.xx]:51334) syscall: Broken pipe
2017-10-09 16:12:27 dovecot_login authenticator failed for (127.0.0.1) [xxx.xxx.xxx.xx]:51334: 535 Incorrect authentication data (set_id=AB\023)
2017-10-09 16:12:27 SMTP connection from (127.0.0.1) [xxx.xxx.xxx.xx]:51334 lost

I found this in the message log for a similar login attempt.

[6883341.422495] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:19:99:78:1e:4f:00:18:74:67:50:00:08:00 SRC=xxx.xxx.xxx.xx DST=xxx.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=14778 DF PROTO=TCP SPT=42475 DPT=587 WINDOW=5808 RES=0x00 SYN URGP=0

which would indicate port 587, but port 587 is closed in CSF

 

[cPanelMichael]

Hello,

Are there any corresponding entries in /usr/local/cpanel/logs/access_log around the same date/time that would suggest these entries stem from Webmail access?

Thank you.

 

[keat63]

I don't see anything in access.log around this time other than a few localhost (127) entries.

 

[cPanelMichael]

I found this in the message log for a similar login attempt.

[6883341.422495] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:19:99:78:1e:4f:00:18:74:67:50:00:08:00 SRC=xxx.xxx.xxx.xx DST=xxx.xxx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=14778 DF PROTO=TCP SPT=42475 DPT=587 WINDOW=5808 RES=0x00 SYN URGP=0

which would indicate port 587, but port 587 is closed in CSF

This message output shows the connection was blocked by the firewall. As far as the other log entries, are you sure it's not due to traffic over port 25, as discussed earlier in the thread?

Thank you.