The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Regular POP3D Attacks and Blocks

Discussion in 'Security' started by Another Blogger, Jan 5, 2013.

  1. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi everyone

    I'm using a self-hosted wordpress blog. I'm using Gmail to access my domain email accounts.

    I want to know, is built-in email services such as exim, etc are necessary if we are using Gmail to manage emails? I have only 2 accounts on server: root and my personal account.

    I have set "Mailserver selection" to Disabled in WHM settings.

    My problem is that I regularly get following alerts from LFD:

    ==========

    Time: Sat Jan 5 08:53:07 2013
    IP: x.x.x.x
    Failures: 2 (pop3d)
    Interval: 300 seconds
    Blocked: Permanent Block

    Log entries:

    Jan 5 08:53:00 host dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<staff>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x
    Jan 5 08:53:03 host dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<sales>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x

    ==========

    I generally get 1 or 2 emails daily. I have set the pop3 login failure attempts to 2 before permanent block in firewall settings. But I want to know, is there any way to permanently stop these attacks?

    Can I disable exim or any other thing which can stop these attackers?

    Thanks.
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I think the easiest thing to do is just close some ports in CSF configuration:
    ports 110 & 995 (POP3 & POP3S)
    ports 25, 26 & 465 (SMTP & SMTPS)
    port 143 (IMAP)

    Also go to WHM-> Service Configuration -> Service Manager and uncheck exim, exim on another port, imap
     
  3. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Thanks for your reply. Since I'm using Wordpress blog, it sends email notifications etc to subscribers for new comments. Will disabling exim affect it? Should I disable exim service?

    Also regarding ports, I found following in CSF configuration:

    TCP_IN: 20,21,22,25,26,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2200,26,30000:30100
    TCP_OUT: 20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2200,2703
    UDP_IN: 20,21,53
    UDP_OUT: 20,21,53,113,123,873,6277,33434:33523
    ICMP_IN: 1
    ICMP_IN_RATE: 10/s
    ICMP_OUT: 1ICMP_OUT_RATE: 0

    TCP6_IN: 22,25,53,80,110,143,443,465,587
    TCP6_OUT: 22,25,53,80,110,113,443,587
    UDP6_IN: 53
    UDP6_OUT: 53,113

    Are these settings correct or should I remove ports from them? Thanks.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Then you should not disable Exim.

    in TCP_IN remove 110,143 and 995.
     
  5. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Thanks. I removed 110, 143 and 995 from TCP_IN. Can I also remove 993 from TCP_IN? Someone suggested me to remove it as well.

    Also TCP6_IN also contains 110 and 143, should I also remove them from TCP6_IN?

    Thanks again for your help.
     
  6. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Yes, seems I forgot that.

    I am not very familiar with IPv6 settings, but I suppose you can remove those also.
     
  7. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Thank you so much for your help. Please do let me know if you find a confirmation that the same ports can also be removed from TCP6_IN or not.

    Also do you think any other port can be removed from the settings which I mentioned in my previous post to tighten security? Thanks again for your replies.
     
  8. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    When you install CSF it opens only those ports you usually need, so if you didn't open any ports by yourself it should be pretty safe.
     
  9. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Thanks again for your help. Much appreciated. :)
     
  10. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    In past 2-3 days, I received 2 smtpauth failure emails:

    Can you please tell me how to stop these attacks as well? Thanks.
     
  11. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If you are running a mail server, you can not stop those.
    CSF/LFD is doing it's job, that email shows that after 5 failed logins that IP is blocked.
     
  12. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Thanks for the reply. I'm using Wordpress blog software which sends email notifications so I think it needs mail server. So nothing can be done to stop these attacks?
     
  13. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If you have a service running and someone, from a random IP, is connecting and trying to log in, how would you be able to stop them?
    You have a firewall, and it is blocking the IP after a few failed logins, as fas as I know that is all that can be done.
     
  14. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    ^^ Yeah. It make sense. Thanks for your reply and help. :)
     

Share This Page