SMTP connection from (TCP/IP connection count = 100)
-
Hey there! As long as a service is open to the internet, it is always at risk of being abused. If those entries are from /var/log/maillog, do you see that they actually sent messages in corresponding timestamps in /var/log/exim_mainlog? If not, it seems like most of the connections are from 190.x.x.x and 179.x.x.x so you could consider blocking those ranges in the server's firewall. 0 -
hi guys The file is exim_mainlog Would it be possible for you to help me create a command line, to count the IPs that are abusing, in order to only block those that generate the greatest number of abuse attempts 0 -
There usually isn't a good way to automatically block this type of traffic. The reason I mentioned checking for corresponding entries in /var/log/maillog for the IPs is that if they are failed logins, you could use a tool like cPHulk (cPHulk Brute Force Protection | cPanel & WHM Documentation) to block those failed attempts. If they are just making an SMTP connection, I don't have any automatic tools that will search the log and block those IPs. I suppose it would be possible to have a tool search the log for any number higher than 5 or 10 or whatever you'd like the limit to be, and then add that IP address to CSF, but that would require a more advanced script to be created by an admin. If the IPs are all coming from a certain country, you could use CSF's country code blocking technique to stop the traffic at the firewall level if you know your sites don't typically get traffic from that region. 0 -
I found this thread Googling an issue on my server with cPanel SMTP.
As with jlucho, in exim_mainlog there're multiple entries like:
2024-05-28 02:24:49 SMTP connection from [11.11.11.11]:46438 (TCP/IP connection count = 13)
followed by:
2024-05-28 02:24:50 1tBla7-0000000CSpu-24JG <= cpanel_account@domain.com H=([127.0.1.1]) [11.11.11.11]:46390 P=esmtpsa X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no A=dovecot_plain:cpanel_account@domain.com S=25652 T="" for recipient@domain.com
There is no related login to an account with the IP address 11.11.11.11 in the maillog.
It seems like the offending log entries and outgoing mail are generated using SMTP without authentication. This shouldn't be possible. SMTP should only be accessible via a cPanel account authenticated by credentials.
I've also run 'find /etc/apache2/logs/domlogs/*/ -type f -exec grep --with-filename 11.11.11.11 {} \;' to see if the SMTP is being accessed via a web script, but this returns no results.Please advise.
0 -
FredQ - even though you mention there is no corresponding IP address in maillog, is there anything with the same timestamp, or within the same few seconds that could show a correlation?
You may also want to ensure that "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)" is enabled in WHM >> Tweak Settings to help limit email abuse.
0
Please sign in to leave a comment.
Comments
5 comments