The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim Dictionary Attack ACL for cPanel

Discussion in 'General Discussion' started by sh4ka, Oct 13, 2005.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
  2. chris74108

    chris74108 Well-Known Member

    Joined:
    Apr 30, 2004
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
  3. jameshsi

    jameshsi Well-Known Member

    Joined:
    Oct 22, 2001
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Just do it, don't worry about it, it is good.
     
  4. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Oki doki.. I saw the same red "doggie" :P on the site of this script but I never imagine that that was chirpy's website, anyway.. I'll try it. thanks guys.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's in my forum signature ;)
     
  6. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Chirpy, is that a dog or a pony ??? :p
     
  7. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    looks like a corgi to me :)
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's an English Bull Terrier - we have 2 of the little mosters :p

    hint: click on the logo on the configserver site.
     
  9. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hey Chirpy,

    any way to "permanently" ban the dictionary attack servers. I've had a dictionary attack going on for 3 weeks now. They seem to just be recycling the servers after your script drops them. I don't want to really "permanently" ban them - just set the number of days to keep a server banned.
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If it's for one or two servers it's probably best to drop in a custom ACL for them:

    Code:
      drop hosts = 11.22.33.44 : 11.22.33.55 : 11.22.33.66
           message = Spam or Mail Bombing activity
    
    Stick that just before the exim deny ACL drops.

    Alternatively, if you want the blanket ban to last longer, remove the symlink in /etc/cron.daily/exim_deny.pl and create a crontab to run that at the frequency that you want (e.g. every 3 days, etc).
     
  11. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Thanks Chirpy,

    I'm embarrassed it was as simple as changing the cron job....
    It's about 50 servers hammering me, so cron is the way to go.
     
  12. bijo

    bijo Well-Known Member

    Joined:
    Aug 21, 2004
    Messages:
    475
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Thank you Jonathan :)

    Finally we can see your photo from that link
    http://chirpy.com
     
  13. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Thanks Bijo.... I really wanted to see the head that carries those brains...
     
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I can wholeheartedly recommend the dictionary ACL. A few months back one of our resellers moved a domain getting 70,000 spams a day with blackhole settings to our server. The jump in CPU usage was incredible - for just that one domain. After changing the default destination for the domain from blackhole to fail the server CPU load went back to normal almost immediately although it took a few days for the dictionary ACL to work it's magic and persuade the spammers to play elsewhere. I don't know how anyone could operate a server without the dictionary attack ACL.
     
  15. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    I would also agree, using the "Exim Dictionary Attack ACL" is a must have for any Server.

    Touch of class on Chirpy's part, to provide it for Free. Even muddlehead's like myself can install it. :D
     
  16. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I have a quick question Chirpy, and it is a reversal of how the dictionary attack ACL would work.

    We have a user that is getting:

    ""550 connection denied after dictionary attack Port 25 Security (SSL) Server error 550. Error number 0x800CCC79""

    From his mail client. I have not come across that yet, but I can only assume perhaps the person has a virus or something originating on their local machine that is triggering the attack against themselves using their SMTP on our server.

    Just a guess, that's my first thought on why they would have denied themselves....
     
  17. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I'm glad it's not just me! We have one particular user who keeps getting this same error, maybe once a week or so. It's extremely frustrating, and although logic says Chirpy's ACL has something to do with it, I don't know how. The user's IP address is never listed in exim_deny.
     
  18. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I noticed in the logs that if a smtp user tries to send email via our server without authenticating and tries to send to a non existent address - the dictionary ACL will ban them. The key here is "without authenticating". As you know users don't have to authenticate on the cPanel system if they have picked up mail in the last 30 mins.

    Try telling your clients to make sure they have their email client authenticating when using smtp. Just my thoughts...
     
  19. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Thanks for sharing your thoughts, I've asked the user to check for that, and will report back once I've been able to determine whether or not that solved it.
     
  20. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, that's usually the cause - 4 non-authenticated sends in a row and they're blocked. Simplest is to search the logs for the IP address of the users internet connection and look for when it first got banned. Usually, it's for that reason, though sometimes it is because of a virus infected PC.
     
Loading...

Share This Page