Switching Off Port 993 - Is Anyone Using It?

BobHoliday

Member
Sep 6, 2013
23
3
53
cPanel Access Level
Root Administrator
I'm getting pounded by distributed attacks on imap port 993. I've used ConfigServer Firewall to lock down access to only the EU, US, Aus and Canada which has helped but the country source of the attacks now has migrated with my rule change.

I'm pretty sure none of my users use 993 so I could just switch it off but I'd like to be sure.

Where can I view or monitor successful connections to 993 by legitimate users so I can see that there are none, or see who's using it and talk them into using POP instead?

TY!
 

BobHoliday

Member
Sep 6, 2013
23
3
53
cPanel Access Level
Root Administrator
I know how to configure the firewall - I know how to block port 993... I want to know if any of my server users are using it and if so which. Is there a way to do that?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
See this post on StackExchange

superuser.com/questions/604998/monitor-tcp-traffic-on-specific-port/848966#848966

- you could probably modify it to suit your needs
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
If none of your users is connecting to the server using IMAP securely then there really should be no issues with filtering the port, though I wouldn't recommend this course of action, in the event one your users would like to at some point.

Thanks!
 

BobHoliday

Member
Sep 6, 2013
23
3
53
cPanel Access Level
Root Administrator
I don't know if any of them are - I want to monitor the port for successful logins so I can find out. I would ask them all but none of my clients know the difference between imap and pop3 I don't suspect.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
The suggestions provided by @rpvw might be best to observe that behavior then. Just modify the dport line to reflect 993 and the --log-prefix to something that reflects what you're doing "993 logins" or similar.