Firewall issue with spammers

Discussion in 'General' started by supportunlimited, Apr 29, 2020.

  1. supportunlimited

    supportunlimited New Member HowtoForge Supporter

    Hi there

    I am sure that this topic has been raised before. While I searched the forums, I saw a couple of references from the 2000's but nothing recent.
    This is my issue and I am hoping someone else has a similar issue and or a resolution for me.
    I only use my ISPConfig servers for hosting sites. I do not use any of the mail features for my clients.
    I have the server send out the normal mail notifications from various sites, so I need to have the internal SMTP server enabled for sending out mail. I have looked and looked and have seen a few people suggest using IPTables to block the incoming ports for the specific services like POP,IMAP.

    My issue is the amount of traffic in my mail.log. I have 30Mb of daily logs of people trying to relay, login, or just plain checking to see if they can try one of many different username combinations. Last night I used an IPtables entry for blocking ports 110,143,993, and 995. I have this morning seen 72000 rejections, while my log file is full of
    postfix/smtpd[25776]: warning: unknown[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    As well as the usual connection attempts from various IP's or that one.
    Would it be safe to also block port 25, or would I break the server from sending out mail?

    Thanks for any advice.
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It's safe to block port 25 inbound, it won't affect your outbound. Alternately you could set postfix to bind to the localhost interface, so connections won't be made (of course your website scripts will need to use local sendmail or smtp on a localhost address, and not try smtp to your web server's public ip if so):
    postconf -e 'inet_interfaces = localhost'
    You might even take a step back and redo your firewall setup. Trying to block "all the bad ports" is much harder than blocking everything and only allowing the few services which should be enabled. ISPconfig makes that pretty easy, just install ufw and set ports in the System > Firewall for this server. For a web server, you would allow 80 and 443, and probably 22 (ssh / sftp); often, though increasingly less, you'll need ftp, so allow 21 and a range of passive ports (you must set a range for pure-ftpd, and allow that same range in the firewall); if you run the ISPConfig control panel on that server, make sure that port is allowed (8080 by default), as well as the app server port if you use that (8081 by default). Unless you have a very compelling reason to do so, do not open mysql up to the internet. Other than that, just ask if you run any other services (DNS maybe?), and/or check what ports are listening (netstat -tnau) and allow those ports as needed (there aren't likely to be any more needed). Everything else gets blocked.
    Last edited: Apr 29, 2020
  3. supportunlimited

    supportunlimited New Member HowtoForge Supporter

    Thanks for the reply.
    I'll give that a shot.


Share This Page