Skip to main content

How to block MX IP closer to the OS level?

Comments

13 comments

  • cPRex Jurassic Moderator

    Hey hey!  I'm not sure I have a good solution to this one.  Even if there was some other tool (different config, hardware firewall outside the server, etc.) then when you update *that* configuration and reload things the same thing will happen.

     

    0
  • Benjamin D.

    Would the following get overwritten by an update and/or overridden by some other tool... or would that + CSF be a reliable mitigation? I installed the spammer's subnets in there and haven't heard from them for almost 24 hours now.  This: Service Configuration > Exim Configuration Manager > "Blacklisted SMTP IP addresses"

    OK, I also have another question real quick, we're getting BOMBARBED with nothing but failing SMTP deliveries.  This means that almost every minute, there's a compromised server somewhere in the world (always coming from different IP addresses, every single time) that tries to send their spam (or phishing emails or whatever) to inexistent email accounts on our server.  I'm talking THOUSANDS of different IP addresses per day. The issue is not that I'm afraid they can do anything: They can't.  All it does is fail every single one of their SMTP requests.  But the issue is that they draw lots of CPU and bandwidth and that it always takes 100 failures in a row for the IP to stop connecting.  Why is that? I haven't found any setting in WHM to reduce the failures in a row (or even total failures in an hour).  I would ideally like their SMTP connection to shut down after 5 failures in a row.  That would be much more sensible.  How can I change that 100 number to 5 in WHM or Terminal?

    EDIT: If you look at the screenshot, this is a very small portion of a single IP address trying 100 times.  The email FROM is the same for 100 rows, the time is the same, even the email ID is the same, BUT the email TO is different on every line.  To me, this looks like they tried to send 1 email to 100 recipients.  Either way, this is too many lines in the logs, I would like to cut their connection after 5 if possible.

    0
  • cPRex Jurassic Moderator

    The "Blacklisted SMTP IP Addresses" section isn't something that gets overwritten, so that may be a good option to do something outside of the firewall in this situation.

    For the "100 in a row" thing, I'm guessing that is set by the software the bot is using as there isn't any particular threshold where failed SMTP connections will stop on the cPanel side of things.  cPHulk and CSF block failed logins, but not failed deliveries - maybe we should have a similar tool that blocks those connections? 

    0
  • Benjamin D.

    I'm just wondering because as you can see in the screenshot above (which only represents a very small portion of that ONE IP attack, and there are THOUSANDS of IP addresses that perform exactly this kind of attack) the IP pushes 100 requests to Exim within a second.  Imagine if they did not stop after 100.  What would happen? This looks like a pretty major security hole to me.

    0
  • cPRex Jurassic Moderator

    I wouldn't say it's a security hole - they are just trying to send mail and the server is handling it.  It's more of a DoS or CPU nuisance or something like that.  Does your datacenter have any tools that might help for this?

    0
  • Benjamin D.

    That's what I meant by security hole.  Hogging down resources could potentially prevent legitimate users from accessing the services, thus it's a security issue.  It's not a security issue in the sense that it could delete or steal DATA but it's a security issue is the sense that it could temporarily lock out legitimate users from using the server.

    Since it's very mild compared to other DoS type attacks I've dealt with over the years, I would rather use software to mitigate this rather than paying my datacentre even more money to rent one of their firewall services.

    0
  • cPRex Jurassic Moderator

    Do you have this option enabled on the server?

    https://support.cpanel.net/hc/en-us/articles/360049830294-Email-from-major-providers-arrives-with-a-delay

    That should keep systems from being able to connect so quickly.

    0
  • Benjamin D.

    Are you referring to GRAYLISTING or are you referring to "DO NOT DELAY THE SMTP CONNECTIONS" (that's how the article names it, although in WHM 124, I believe it's named "Introduce a delay into the SMTP transaction") ?

    Those are 2 different features.  I don't use any of them and haven't for years.  I know the delay one is enabled by default, but delaying the queue won't solve the issue at hand, I don't believe.  If it would, then can you explain how exactly?

    Re: "That should keep systems from being able to connect so quickly" as you can see in the screenshot (also in the other WHM customer's screenshot in the other thread) the spammer's modus operandi is to use the same email ID for all 100 attempts.  I'm wondering now if they only establish a single connection and then extremely quickly send 100 requests back to back in a single connection.  I don't think they would be able to fully disconnect and reconnect 100 times in a single second.  It seems too fast to be plausible.

     

    0
  • cPRex Jurassic Moderator

    I know we have a lot more discussion in that other thread, but the "delay" option should keep non-bot users from being able to connect as they won't wait the 5+ seconds to complete the SMTP connection, but normal mailservers will.

    I'll be replying to that other thread in a bit with some more details :D

    0
  • Benjamin D.

    Yes but in my experience they will be back just an hour or two later and indefinitely.  Trying to prevent them to fully send their spam/trying their dictionary attack by introducing a delay (that every IMAP client will have to suffer through) is not ideal since the attackers will still use tons of Exim connections, potentially causing time outs in legitimate clients.

    That delay is introduced at the connection level, but the delay starts when the socket accepts a connection.  The delay is how many seconds it takes between the client connection and the first byte of DATA sent back to them, so it effectively makes it worse because they'll be using an Exim connection slot for 5 seconds instead of 1.

    0
  • cPRex Jurassic Moderator

    Oh for sure, and with something as large as what you two guys were seeing, it really doesn't matter what you do.

    0
  • Benjamin D.

    Of course there's a solution: To permanently blacklist the offending bot net IP addresses until the master IP is blocked, then the attacks stop.  We've proven that 2 days ago (see the other thread).

    https://support.cpanel.net/hc/en-us/community/posts/29632844615191/comments/29679700835351

     

    0
  • Benjamin D.

    Rose, I don't mean no disrespect, but out of curiosity, are your replies coming from AI?

    FYI, CSF is iptables.  It's the same thing.  So when you reload CSF, it flushes iptables and repopulates it.

    Anyway, the solution was to also add the IP addresses to Exim's own blocklist under: Service Configuration > Exim Configuration Manager > "Blacklisted SMTP IP addresses"

    0

Please sign in to leave a comment.