Open ports on server question

albatroz

Well-Known Member
Mar 6, 2003
401
6
168
Virtual Orbis / Peru
cPanel Access Level
Root Administrator
Twitter
One of my customers recently run a vulnerability test against my VPS and noticed several open ports that you can see in the attached picture. There are some ports that I recognize but there are others like the 2000 and 1167 that I don't know where they come from.
 

Attachments

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,256
463
Hello @albatroz,

Can you open a support ticket so we can take a closer look at your system? You can post the ticket number here and I'll link this thread to it.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,256
463
Hello,

To update, here's a summary of the response sent by one of our Technical Analysts in the ticket:

The messages from the affected email address were Greylisted because the domain name associated with the email address lacks DNS entries because it's authoritative nameservers do not contain information on it:

# dig +short txt domain.tld
# dig +short default._domainkey.domain.tld
# dig +short domain.tld

In addition, the server's Exim configuration contains a number of custom modifications, one of which is the "host_find_failed" directive, which is set to defer:

# grep host_find_failed /etc/exim.conf
host_find_failed = defer

Apparently as a result of this customization, the messages are being deferred:

# grep domain.tld /usr/local/cpanel/logs/cpgreylistd.log | grep -v get_deferred_list | tail -5
[2019-04-15 06:32:10 -0500] info [cpgreylistd] Request:- OP: ['should_defer'], Sender IP: ['1.2.3.4'], From Address: ['[email protected]'], To Address: ['[email protected]']. Reply:- ['yes']

And it appears that they are then removed from the cpgreylistd database 24 hours after the first message attempt is sent. This is the first entry in the cpgreylist log file for the message:

[2019-04-14 10:34:40 -0500] info [cpgreylistd] Request:- OP: ['should_defer'], Sender IP: ['1.2.3.4'], From Address: ['[email protected]'], To Address: ['[email protected]']. Reply:- ['yes']

And this is the last entry for it, a little over 24 hours later:

[2019-04-15 11:12:12 -0500] info [cpgreylistd] Request:- OP: ['should_defer'], Sender IP: ['1.2.3.4'], From Address: ['[email protected]], To Address: ['[email protected]']. Reply:- ['yes']

It thus appears that the message is essentially disappearing without being either delivered or rejected.

You may therefore wish to remove the "host_find_failed = defer" line from the Exim customizations, then restart Exim for the change to take effect to see if doing that resolves this issue. However, ultimately, the issue lies with the lack of DNS resolution for the domain.tld domain, which will need to be addressed by the administrators of that domain.
Thank you.