The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Drop SMTP connection at HELO/EHLO matching machine name

Discussion in 'E-mail Discussions' started by danielvasc, Nov 26, 2014.

  1. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Helo guys!

    Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

    My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

    I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.

    I need to use the following rule:

    Code:
    acl_smtp_helo = acl_smtp_helo
    acl_smtp_helo:
    
    #BEGIN ACL_SMTP_HELO_BLOCK
    drop
       condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
       log_message = HELO/EHLO - ylmf-pc blocked
       message = I Nailed You at HELO
    accept
    #END ACL_SMTP_HELO_BLOCK
    When I try to apply, I get the following error:

    root@cpanel [/etc]# /etc/init.d/exim restart
    Shutting down clamd: [ OK ]
    Shutting down exim: [ OK ]
    Shutting down spamd: [ OK ]
    Starting clamd: [ OK ]
    Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
    error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
    [FAILED]
    0 processes (antirelayd) sent signal 9
    /usr/local/cpanel/scripts/update_sa_rules: running in background
     
  2. hddntha

    hddntha Registered

    Joined:
    Jun 9, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello; i have same problem with exim.conf. about this regex. Waiting for someone's response.
     
  3. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    The solution I found was blocking through the firewall.

    Code:
    iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
    Yours,
    Daniel Vasconcelos
    --
    IT Analyst
     
  4. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for sharing. How to use this if the server use CSF? Not found where to add custom iptable rule in CSF.
     
  5. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Do not know, sorry.
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Look for the description of csfpost.sh in CSF's readme.txt.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am happy to see you were able to find a solution. Thank you for updating us with the outcome.
     
Loading...

Share This Page