The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Host Access Control for smtpauth?

Discussion in 'Security' started by kpmedia, Aug 26, 2014.

  1. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    Will Host Access Control only block login attempts to SMTP (smtpauth), not block emails from coming in on port 25?

    - 1.2.3.4 can't login at all.
    - 1.2.3.4 email sent to the server will arrive just fine.

    With a Window Server, such things were trivial inside the mail apps. With Linux, it's not quite so clear.

    HAC is great to block everything else. The spammer/hacker cannot even see the login prompt to try and enter failed credentials for things like FTP or pop3.

    Or is this something that must be done even deeper, in exim only? (If so, where. Assuming CLI, though it would be nice if cPanel GUI controls existed.)

    I'm mostly tired of getting 50-100 emails a day for IP blocks by LFD. Many of these could be wiped out is HAC works as I'm hoping it does.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The "Host Access Control" option in Web Host Manager is simply an interface for modifying the /etc/hosts.allow file. It blocks connections to services completely, rather than preventing authentication. For instance, if you prevent access to the cPanel service, it blocks the connection attempt completely, so the user never gets a chance to login.

    Thank you.
     
  3. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    So that means ... ?

    HAC would apparently block everything, so no connection are then possible. Not the login, not the ability to receive email either. If so, that's definitely not what I want.

    Then is the ability to block logins -- ONLY logins -- something that can be done in exim?

    Again, Windows is not nearly this hard.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    cPHulk is already in use. It prevent logins, yes, but it does not prevent the attempts.
    The attempts trigger CSF/LFD.

    I want to prevent all attempts.

    I can do this via Host Access Control (HAC) for things like pop3.
    And I can change the ports for something like FTP, in addition to the HAC blocks.

    But for email, Linux users are seemingly screwed.

    I can crap like this every few minutes, all day long:
    Code:
    Time:     Wed Aug 27 01:30:07 2014 -0500
    IP:       113.163.15.134 (VN/Vietnam/dynamic.vdc.vn)
    Failures: 10 (smtpauth)
    Interval: 300 seconds
    Blocked:  Permanent Block
    
    Log entries:
    
    2014-08-27 01:27:32 dovecot_login authenticator failed for (USER) [113.163.15.134]:9799: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:27:48 dovecot_login authenticator failed for (USER) [113.163.15.134]:11382: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:27:59 dovecot_login authenticator failed for (USER) [113.163.15.134]:18837: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:28:26 dovecot_login authenticator failed for (USER) [113.163.15.134]:33856: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:28:50 dovecot_login authenticator failed for (USER) [113.163.15.134]:45911: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:28:57 dovecot_login authenticator failed for (USER) [113.163.15.134]:47289: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:29:08 dovecot_login authenticator failed for (USER) [113.163.15.134]:50135: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:29:26 dovecot_login authenticator failed for (USER) [113.163.15.134]:54446: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:29:47 dovecot_login authenticator failed for (USER) [113.163.15.134]:61706: 535 Incorrect authentication data (set_id=roimessaging.com)
    2014-08-27 01:30:05 dovecot_login authenticator failed for (USER) [113.163.15.134]:6859: 535 Incorrect authentication data (set_id=roimessaging.com)
    
    There's zero legit traffic coming from Vietnam to this server. I want to just block that whole /8 IP range.

    Sadly, HAC doesn't block dovecot_login.
     
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    You might prefer to actually use CSF to control access to these ports. This is covered in "10. Advanced Allow/Deny Filters" of http://download.configserver.com/csf/readme.txt

    The issue I believe with host access control is it is down to the individual daemon process on whether it uses the tcp wrappers files in /etc/ for access control.

    Edit: Dunno if you can do a whole range with that syntax, never tried :) If SMTP auth attacks are your specific problem there is country blocking discussed in 26. Exim SMTP AUTH Restriction
     
    #6 ThinIce, Aug 27, 2014
    Last edited: Aug 27, 2014
  7. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    FYI, this is wrong:

    It does prevent relaying. It does NOT work.

    Again, I have no idea why this is so hard on Linux. It was trivial on every Windows mail app I've ever used, going back at least 10 years now.
     
Loading...

Share This Page