Host Access Control Irregularity?

cornishman33

• August 03, 2017 02:17

Hello. I have encountered a situation that I don't understand. I have denied Host Access Control to webmaild, imap, pop3 and smtp for "ALL" apart from five IP's. I applied the "Allowed" IP's first, then the "Deny's" so I believe they are entered correctly. We tested it by getting staff NOT in the whitelist to try to access those areas, and hey! they were blocked. Good so far. This morning, the cPHulk History reports were full of login attempts (about 40) to service "Mail" authentication service "Dovecot". Have I misunderstood it, or have I done something wrong? Any suggestions would be sincerely appreciated.

• 

  cPanelMichael

  • August 03, 2017 16:40

  This morning, the cPHulk History reports were full of login attempts (about 40) to service "Mail" authentication service "Dovecot". Have I misunderstood it, or have I done something wrong?

  
  Hello, Could you provide an example of one of the cPHulk entries that was listed in the history reports? Ensure to replace real domain names and IP addresses with examples. Thank you.

  0
• 

  cornishman33

  • August 03, 2017 16:51

  Hello, here are a couple of the entries from the cPHulk log file. [2017-08-03 17:22:29 +0100] info [cphulkd] 6092 Login Blocked: The IP address is blacklisted. [Service]=[dovecot] [Local IP Address]=[xx.xx.xx.xx] [Local Port]=[993] [Remote IP Address]=[xx.xx.xx.xx] [Remote Port]=[4149] [Authentication Database]=[mail] [Username]=[fred@example.com] [2017-08-03 17:23:23 +0100] info [cphulkd] 6205 Login Blocked: The IP address is blacklisted. [Service]=[dovecot] [Local IP Address]=[xxx.xxx.xxx.xxx] [Local Port]=[993] [Remote IP Address]=[xxx.xxx.xxx.xxx] [Remote Port]=[3977] [Authentication Database]=[mail] [Username]=[info]
  I now see that even though the IP's are recognised as blacklisted they still appear within the cPHulk history list. I had assumed that IP's that were not in the list would simply be blocked, without being added to the list, I was obviously wrong.

  0
• 

  cPanelMichael

  • August 03, 2017 17:29

  Hello, The host access rules will not prevent the actual connection attempt itself. For that, you'd need to block the IP addresses in your firewall. CSF is a useful firewall management utility you can use for that purpose: ConfigServer Security & Firewall (csf) This is discussed in more detail on the following third-party URL: IP addresses denied in /etc/hosts.allow appear in /etc/csf/csf.deny? Thank you.

  0
• 

  cornishman33

  • August 03, 2017 17:59

  ... and very many thanks for your time.

  0

Please sign in to leave a comment.