Blocking connections without blocking e-mail

JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Blocking connections without blocking e-mail

Post by JasGot »

Is it possible to block connections from China (CN) without blocking e-mail from China?

We have one account that must receive e-mail from China. If I use CC_Deny, they e-mail is denied.

I would like to block login attempts, but not block e-mail from CN.

I'm not sure if whitelisting would work, but even if it did, I wouldn't know what domains to whitelist because they are working with different people all the time.

Thanks.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking connections without blocking e-mail

Post by Sergio »

What you need to block is the offending IP not the account.

If you can, paste the text of the failed login and rewrite sensitive info with xxxxx.

Sergio
JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Re: Blocking connections without blocking e-mail

Post by JasGot »

There are thousands. That won't work.
JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Re: Blocking connections without blocking e-mail

Post by JasGot »

Empty message.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking connections without blocking e-mail

Post by Sergio »

I didn't mean all your attacks, lol.
Just paste an example.
JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Re: Blocking connections without blocking e-mail

Post by JasGot »

Ha! I thought you meant put the offending IPs into a black list.... :)

This one is caught by Cpanel cpHulk


A device at the “124.234.183.221” IP address has made a large number of invalid login attempts against the account “www”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.
Service:
pure-ftpd
Local IP Address:
XXX.XXX.XXX.XXX
Local Port:
21
Remote IP Address:
124.234.183.221
Authentication Database:
system
Username:
www
Number of authentication failures:
3
Maximum number allowed:
3


This on is caught by CSF

Time: Mon Jun 8 02:28:39 2020 -0400
IP: 61.142.20.19 (CN/China/-)
Failures: 3 (ftpd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_FTPD]

Log entries:

Jun 8 02:28:16 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [anonymous]
Jun 8 02:28:23 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [www]
Jun 8 02:28:30 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [www]
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking connections without blocking e-mail

Post by Sergio »

The way to do what you want is fair simple, just block any ports to CN but don't block the email ports:

110,143,993,995,25,26,463,587

In CSF search info for CC_
and check what suits for you.

Sergio
JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Re: Blocking connections without blocking e-mail

Post by JasGot »

Can you provide the specific CC_ option? I don't see one that allows me to include ports and CC; only ports OR CC_.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking connections without blocking e-mail

Post by Sergio »

Check all the options under:
Country Code Lists and Settings

Each option is well explained inside CSF FireWall Configuration.

But the most importat for this to work is to have an IP DataBase.
I recommend MaxMind.

MaxMind is a database of all the IPs around the world with info about the Countries IPs, there are a free and a payed lists.

Sergio
JasGot
Junior Member
Posts: 34
Joined: 10 Jan 2008, 17:16

Re: Blocking connections without blocking e-mail

Post by JasGot »

Those explanations often create more questions than they answer......
Post Reply