Host Access Control for smtpauth?
Will Host Access Control only block login attempts to SMTP (smtpauth), not block emails from coming in on port 25?
- 1.2.3.4 can't login at all.
- 1.2.3.4 email sent to the server will arrive just fine.
With a Window Server, such things were trivial inside the mail apps. With Linux, it's not quite so clear.
HAC is great to block everything else. The spammer/hacker cannot even see the login prompt to try and enter failed credentials for things like FTP or pop3.
Or is this something that must be done even deeper, in exim only? (If so, where. Assuming CLI, though it would be nice if cPanel GUI controls existed.)
I'm mostly tired of getting 50-100 emails a day for IP blocks by LFD. Many of these could be wiped out is HAC works as I'm hoping it does.
-
Hello :) The "Host Access Control" option in Web Host Manager is simply an interface for modifying the /etc/hosts.allow file. It blocks connections to services completely, rather than preventing authentication. For instance, if you prevent access to the cPanel service, it blocks the connection attempt completely, so the user never gets a chance to login. Thank you. 0 -
So that means ... ? HAC would apparently block everything, so no connection are then possible. Not the login, not the ability to receive email either. If so, that's definitely not what I want. Then is the ability to block logins -- ONLY logins -- something that can be done in exim? Again, Windows is not nearly this hard. 0 -
It seems like you may find cPHulk brute force protection more helpful: cPHulk Brute Force Protection Thank you. 0 -
cPHulk is already in use. It prevent logins, yes, but it does not prevent the attempts. The attempts trigger CSF/LFD. I want to prevent all attempts. I can do this via Host Access Control (HAC) for things like pop3. And I can change the ports for something like FTP, in addition to the HAC blocks. But for email, Linux users are seemingly screwed. I can crap like this every few minutes, all day long: Time: Wed Aug 27 01:30:07 2014 -0500 IP: 113.163.15.134 (VN/Vietnam/dynamic.vdc.vn) Failures: 10 (smtpauth) Interval: 300 seconds Blocked: Permanent Block Log entries: 2014-08-27 01:27:32 dovecot_login authenticator failed for (USER) [113.163.15.134]:9799: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:27:48 dovecot_login authenticator failed for (USER) [113.163.15.134]:11382: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:27:59 dovecot_login authenticator failed for (USER) [113.163.15.134]:18837: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:28:26 dovecot_login authenticator failed for (USER) [113.163.15.134]:33856: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:28:50 dovecot_login authenticator failed for (USER) [113.163.15.134]:45911: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:28:57 dovecot_login authenticator failed for (USER) [113.163.15.134]:47289: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:29:08 dovecot_login authenticator failed for (USER) [113.163.15.134]:50135: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:29:26 dovecot_login authenticator failed for (USER) [113.163.15.134]:54446: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:29:47 dovecot_login authenticator failed for (USER) [113.163.15.134]:61706: 535 Incorrect authentication data (set_id=roimessaging.com) 2014-08-27 01:30:05 dovecot_login authenticator failed for (USER) [113.163.15.134]:6859: 535 Incorrect authentication data (set_id=roimessaging.com)
There's zero legit traffic coming from Vietnam to this server. I want to just block that whole /8 IP range. Sadly, HAC doesn't block dovecot_login.0 -
FYI, this is wrong: [QUOTE]26. Exim SMTP AUTH Restriction ############################## The option SMTPAUTH_RESTRICT will only allow SMTP AUTH to be advertised to the IP addresses listed in /etc/csf/csf.smtpauth plus the localhost IP addresses. The additional option CC_ALLOW_SMTPAUTH can be used with this option to additionally restrict access to specific countries. This is to help limit attempts at distributed attacks against SMTP AUTH which are difficult to achive since port 25 needs to be open to relay email. The reason why this works is that if EXIM does not advertise SMTP AUTH on a connection, then SMTP AUTH will not accept logins, defeating the attacks without restricting mail relaying. Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so that the lookup file in /etc/exim.smtpauth is regenerated from the information from /etc/csf/csf.smtpauth, the localhost IP addresses, plus any countries listed in CC_ALLOW_SMTPAUTH To make this option work you MUST make the following modifications to your exim.conf: On cPanel servers you can do this by: ------------------------------------- 1. Navigate to WHM > Exim Configuration Manager > Advanced Editor 2. Search within the window and ensure that "auth_advertise_hosts" has not been set 3. Scroll down and click "Add additional configuration setting" 4. From the drop-down box select "auth_advertise_hosts" 5. In the input box after the = sign add the following on one line: ${if match_ip{$sender_host_address}{iplsearch;/etc/exim.smtpauth}{*}{}} 6. Scroll to the bottom and click "Save" 7. That should be all that is required after having made any necessary changes within csf.conf and restarting csf and then lfd 8. Be sure to test extensively to ensure the option works as expected To reverse this change: 1. Navigate to WHM > Exim Configuration Manager > Advanced Editor 2. Search within the window for "auth_advertise_hosts" 3. Click the wastebasket icon next to the option (if there is no wastebasket you should be able to change the setting to * to advertise to all IP's) 4. Scroll to the bottom and click "Save" 5. Disable SMTPAUTH_RESTRICT and CC_ALLOW_SMTPAUTH in csf.conf and then restart csf and then lfd
It does prevent relaying. It does NOT work. Again, I have no idea why this is so hard on Linux. It was trivial on every Windows mail app I've ever used, going back at least 10 years now.0
Please sign in to leave a comment.
Comments
6 comments