Page 1 of 2

Blocking connections without blocking e-mail

Posted: 03 Jun 2020, 21:50
by JasGot
Is it possible to block connections from China (CN) without blocking e-mail from China?

We have one account that must receive e-mail from China. If I use CC_Deny, they e-mail is denied.

I would like to block login attempts, but not block e-mail from CN.

I'm not sure if whitelisting would work, but even if it did, I wouldn't know what domains to whitelist because they are working with different people all the time.

Thanks.

Re: Blocking connections without blocking e-mail

Posted: 07 Jun 2020, 03:07
by Sergio
What you need to block is the offending IP not the account.

If you can, paste the text of the failed login and rewrite sensitive info with xxxxx.

Sergio

Re: Blocking connections without blocking e-mail

Posted: 07 Jun 2020, 03:54
by JasGot
There are thousands. That won't work.

Re: Blocking connections without blocking e-mail

Posted: 07 Jun 2020, 03:55
by JasGot
Empty message.

Re: Blocking connections without blocking e-mail

Posted: 07 Jun 2020, 03:59
by Sergio
I didn't mean all your attacks, lol.
Just paste an example.

Re: Blocking connections without blocking e-mail

Posted: 08 Jun 2020, 16:08
by JasGot
Ha! I thought you meant put the offending IPs into a black list.... :)

This one is caught by Cpanel cpHulk


A device at the “124.234.183.221” IP address has made a large number of invalid login attempts against the account “www”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.
Service:
pure-ftpd
Local IP Address:
XXX.XXX.XXX.XXX
Local Port:
21
Remote IP Address:
124.234.183.221
Authentication Database:
system
Username:
www
Number of authentication failures:
3
Maximum number allowed:
3


This on is caught by CSF

Time: Mon Jun 8 02:28:39 2020 -0400
IP: 61.142.20.19 (CN/China/-)
Failures: 3 (ftpd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_FTPD]

Log entries:

Jun 8 02:28:16 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [anonymous]
Jun 8 02:28:23 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [www]
Jun 8 02:28:30 64 pure-ftpd: (?@61.142.20.19) [WARNING] Authentication failed for user [www]

Re: Blocking connections without blocking e-mail

Posted: 11 Jun 2020, 04:29
by Sergio
The way to do what you want is fair simple, just block any ports to CN but don't block the email ports:

110,143,993,995,25,26,463,587

In CSF search info for CC_
and check what suits for you.

Sergio

Re: Blocking connections without blocking e-mail

Posted: 11 Jun 2020, 13:56
by JasGot
Can you provide the specific CC_ option? I don't see one that allows me to include ports and CC; only ports OR CC_.

Re: Blocking connections without blocking e-mail

Posted: 12 Jun 2020, 04:43
by Sergio
Check all the options under:
Country Code Lists and Settings

Each option is well explained inside CSF FireWall Configuration.

But the most importat for this to work is to have an IP DataBase.
I recommend MaxMind.

MaxMind is a database of all the IPs around the world with info about the Countries IPs, there are a free and a payed lists.

Sergio

Re: Blocking connections without blocking e-mail

Posted: 15 Jun 2020, 14:46
by JasGot
Those explanations often create more questions than they answer......