Page 1 of 1
prevent bruteforces on exim
Posted: 04 Sep 2019, 07:47
by Justino
Hi there,
I'm using CSF with DirectAdmin and i keep getting bruteforces on the service exim1 and exim2.
I've already deactivated port 465 and 587 since we don't use it inbound/outbound, but port 25 cannot be deactivated in our case.
Is it possible to allow port 25 inbound only for our 2 spam filter IP's?
Tried to do it in CSF, but can't find the option to do so.
Kind regards,
Justin
Re: prevent bruteforces on exim
Posted: 04 Sep 2019, 19:38
by BallyBasic79
Hi Justino! I haven't used it, but it appears you need to enable the
SMTPAUTH_RESTRICT option and add those IPs to
/etc/csf/csf.smtpauth. Below is the relevant section of
csf.conf.
Code: Select all
###############################################################################
# SECTION:SMTP Settings
###############################################################################
# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
# to use the exim/sendmail binary instead of sockets access). This replaces the
# protection as WHM > Tweak Settings > SMTP Tweaks
#
# This option uses the iptables ipt_owner/xt_owner module and must be loaded
# for it to work. It may not be available on some VPS platforms
#
# Note: Run /etc/csf/csftest.pl to check whether this option will function on
# this server
SMTP_BLOCK = "1"
# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
# on the server (e.g. for webmail or web scripts) then enable this option to
# allow outgoing SMTP connections to the loopback device
SMTP_ALLOWLOCAL = "1"
# This option redirects outgoing SMTP connections destined for remote servers
# for non-bypass users to the local SMTP server to force local relaying of
# email. Such email may require authentication (SMTP AUTH)
SMTP_REDIRECT = "0"
# This is a comma separated list of the ports to block. You should list all
# ports that exim is configured to listen on
SMTP_PORTS = "25,465,587,26"
# Always allow the following comma separated users and groups to bypass
# SMTP_BLOCK
#
# Note: root (UID:0) is always allowed
SMTP_ALLOWUSER = "cpanel"
SMTP_ALLOWGROUP = "mail,mailman"
# This option will only allow SMTP AUTH to be advertised to the IP addresses
# listed in /etc/csf/csf.smtpauth on EXIM mail servers
#
# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
# additionally restrict access to specific countries
#
# This is to help limit attempts at distributed attacks against SMTP AUTH which
# are difficult to achieve since port 25 needs to be open to relay email
#
# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
# connection, then SMTP AUTH will not accept logins, defeating the attacks
# without restricting mail relaying
#
# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
# that the lookup file in /etc/exim.smtpauth is regenerated from the
# information from /etc/csf/csf.smtpauth plus any countries listed in
# CC_ALLOW_SMTPAUTH
#
# NOTE: To make this option work you MUST make the modifications to exim.conf
# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
# after enabling the option here, otherwise this option will not work
#
# To enable this option, set to 1 and make the exim configuration changes
# To disable this option, set to 0 and undo the exim configuration changes
SMTPAUTH_RESTRICT = "0"
Again, I haven't used
SMTPAUTH_RESTRICT so hopefully that works as purported. Will you let us know?