The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

POP3 Connection Attack

Discussion in 'General Discussion' started by Sash, May 15, 2007.

  1. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know how to prevent against a POP3 attack? Enabling "The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited. (cppop only):" in WHM doesn't protect the server, because the person is just connecting on port 110 and not attempting to login.

    Here's a segment from the maillog:

    May 15 16:53:03 server1 cpanelpop[8164]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:03 server1 cpanelpop[8165]: Connection from host=206.36.150.18 to ip=111.222.333.89
    May 15 16:53:03 server1 cpanelpop[8166]: Connection from host=206.36.150.18 to ip=111.222.333.67
    May 15 16:53:03 server1 cpanelpop[8167]: Connection from host=206.36.150.18 to ip=111.222.333.78
    May 15 16:53:03 server1 cpanelpop[8168]: Connection from host=206.36.150.18 to ip=111.222.333.68
    May 15 16:53:04 server1 cpanelpop[8120]: Connection from host=206.36.150.18 to ip=111.222.333.83
    May 15 16:53:04 server1 cpanelpop[8143]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:04 server1 cpanelpop[8154]: Connection from host=206.36.150.18 to ip=111.222.333.78
    May 15 16:53:04 server1 cpanelpop[8161]: Connection from host=206.36.150.18 to ip=111.222.333.78
    May 15 16:53:04 server1 cpanelpop[8169]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:05 server1 cpanelpop[8170]: Connection from host=206.36.150.18 to ip=111.222.333.69
    May 15 16:53:05 server1 cpanelpop[8171]: Connection from host=206.36.150.18 to ip=111.222.333.68
    May 15 16:53:05 server1 cpanelpop[8172]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:05 server1 cpanelpop[8173]: Connection from host=206.36.150.18 to ip=111.222.333.71
    May 15 16:53:05 server1 cpanelpop[8174]: Connection from host=206.36.150.18 to ip=111.222.333.71
    May 15 16:53:05 server1 cpanelpop[8177]: Connection from host=206.36.150.18 to ip=111.222.333.70
    May 15 16:53:05 server1 cpanelpop[8179]: Connection from host=206.36.150.18 to ip=111.222.333.70
    May 15 16:53:06 server1 cpanelpop[8180]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:06 server1 cpanelpop[8181]: Connection from host=206.36.150.18 to ip=111.222.333.89
    May 15 16:53:06 server1 cpanelpop[8182]: Connection from host=206.36.150.18 to ip=111.222.333.76
    May 15 16:53:06 server1 cpanelpop[8184]: Connection from host=206.36.150.18 to ip=111.222.333.66
    May 15 16:53:06 server1 cpanelpop[8185]: Connection from host=206.36.150.18 to ip=111.222.333.70
    May 15 16:53:06 server1 cpanelpop[8186]: Connection from host=206.36.150.18 to ip=111.222.333.71
    May 15 16:53:06 server1 cpanelpop[8187]: Connection from host=206.36.150.18 to ip=111.222.333.82
    May 15 16:53:06 server1 cpanelpop[8188]: Connection from host=206.36.150.18 to ip=111.222.333.66
    May 15 16:53:06 server1 cpanelpop[8193]: Connection from host=206.36.150.18 to ip=111.222.333.68
    May 15 16:53:07 server1 cpanelpop[8194]: Connection from host=206.36.150.18 to ip=111.222.333.66
    May 15 16:53:07 server1 cpanelpop[8195]: Connection from host=206.36.150.18 to ip=111.222.333.90
    May 15 16:53:07 server1 cpanelpop[8200]: Connection from host=206.36.150.18 to ip=111.222.333.70
    May 15 16:53:07 server1 cpanelpop[8201]: Connection from host=206.36.150.18 to ip=111.222.333.69
    May 15 16:53:08 server1 cpanelpop[8202]: Connection from host=206.36.150.18 to ip=111.222.333.82
    May 15 16:53:09 server1 cpanelpop[8203]: Connection from host=206.36.150.18 to ip=111.222.333.89
    May 15 16:53:11 server1 cpanelpop[8204]: Connection from host=206.36.150.18 to ip=111.222.333.89
    May 15 16:53:13 server1 cpanelpop[8205]: Connection from host=206.36.150.18 to ip=111.222.333.67
    May 15 16:53:14 server1 cpanelpop[8206]: Connection from host=206.36.150.18 to ip=111.222.333.66

    Firewalling the offender is the only thing that resolves the problem.

    Thanks,
    Mike
     
  2. david510

    david510 Well-Known Member

    Joined:
    Aug 22, 2004
    Messages:
    473
    Likes Received:
    0
    Trophy Points:
    16
    you may block the IP range.

    iptables -I INPUT -s 111.222.333/24 -j DROP
     
  3. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Yea, that's what we do. But, I'm looking for something more proactive.

    Mike
     
  4. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Try CSF. you can set the connection limits based on time and many other things in there.
     
  5. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Does CSF stand for anything? I wasn't able to google anything based on "CSF" and "connection limits based".

    Thanks,
    Mike
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I am using BFD: http://www.rfxnetworks.com/bfd.php

    I've setup several scripts that work with my environment (the default ones suck badly) but once you make your own it works great!

    I block IP addresses that try to login via: pop3d, imapd, exim, apache, SSH and others.
     
  8. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    sehh,

    Thanks, we're running BFD. Unfortunately, the people are just connecting to port 110, they're not actually attempting to login to the POP server.

    We're going to try CSF..........

    Mike
     
  9. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Then what is the problem if they are not trying to login?

    They are probably just checking which software/version you are using for the pop3 server, looking for vulnerable systems.
     
  10. erik@delphi

    erik@delphi Well-Known Member

    Joined:
    Jul 9, 2005
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    so you wouldn't be worried when somebody does this on your server ? they are using your resources and resources are not cheap .... that's the most stupid question i have ever seen here :rolleyes:

    Code:
    Attempt to prevent pop3 connection floods => tick
    
    it's under tweak settings
     
  11. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    What resources are you talking about? you mean the 300GB of traffic that i've got per month? ha! let them try to consume that!

    if they managed to eat it all then good for them LOL !

    to answer your question, no i'm not worried, they are using less than 0,00001% of my available resources.

    you are probably the most stupid person by running around trying to save useless bandwidth.
     
  12. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    The hundreds of connection attempts that the customer is making is acting like a DOS against the server. The CPU load jumps to 50+ and most of the services become unresponsive - requiring a reboot. Bandwidth is not an issue.

    The feature "Attempt to prevent pop3 connection floods" doesn't have any affect upon the problem.

    Mike
     
  13. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    One of things crackers look for is reaction. "No reaction to our attempts? Maybe something else is laxed as well. Let's hammer that box." GL
     
Loading...

Share This Page