The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting SLAMMED on port 25

Discussion in 'Security' started by shortfork, Jun 22, 2013.

  1. shortfork

    shortfork Well-Known Member

    Joined:
    Sep 4, 2006
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Over the past month, I've had some nasty connections to port 25 which bring the server load up into the 50's and higher..

    Once I find the offending IP, I just drop it into apf -d and load comes down instantly. Am I missing something with apf, shouldn't it be auto blocking when one IP attempts a ton of connections to a given port? Can I do this with port 25?

    Also, what to heck could the visitor be doing that ties up so many resources on port 25? I've got the box locked down petty well, all the standard tweeks to keep it as safe as possible... but I think I'm missing something if one single atacker can drag the box down do deeply with one port slam..

    HELP!

    Shortz
     
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I can make some guesses but it would be better to get some logs for when this happens. It sounds malicious but I'd like to be sure before guessing.

    Thanks!
     
  3. shortfork

    shortfork Well-Known Member

    Joined:
    Sep 4, 2006
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Eric, I'd assume we'd be looking in the exim logs.. It's been a few days since it last happened, I'm trying to figure out Chirpy's firewall system. I'd just have him install it and check the box but he's a victim of his success... too busy right now to do it!!

    Anyway, LOVE cPanel but would really like to see a firaccessiblessable via the cPanel interface.. THAT would be the Dog's B's!
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I don't know about APF, but CSF has a CT_LIMIT which will block IP's with more than $NUM connections. This could likely help you. I highly recommend the switch from APF to CSF, as CSF has a good built-in login failure daemon (LFD), can block for mod_security triggers, and can be managed via WHM.
     
Loading...

Share This Page