store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 25, 2019 7:09 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Plesk 10.4.4 Webmail newsfeed "attack"
Unread postPosted: Thu Apr 27, 2017 11:10 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
One of my customers has suddenly found themselves being regularly shunned by ASL due to rule 4151 triggering for multiple attempts to access port 8480 from the customer's IP.

Thanks to Lemonbit (or was it Breun) having posted about something similar in the past, a loud bell rang in the back of my head and I was able to identify and resolve the problem quickly.

The cause of the problem is the "newsfeed" function in Horde webmail in Plesk 10.4.4 (now EOL but I still have a system or two using it).
The newsfeed uses port 8480 for some reason, and even though it is supposedly turned off in Plesk via the appropriate interface controls visibility option, it has somehow, and mysteriously, started to try to access port 8480 again and in doing so triggering rule 4151 for this particular customer when they login to webmail.

Nothing has changed on the server side, so I really don't know why this suddenly started to happen.

I have commented out the newsfeed code in /usr/share/psa-horde/templates/portal/sidebar.inc so hopefully this will not happen again.

But I was wondering if there was a way for ASL to somehow safely detect and prevent shunning when this specific webmail problem event happens?

Although nothing is listening on port 8480, ideally I don't want to open it in the firewall.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Plesk 10.4.4 Webmail newsfeed "attack"
Unread postPosted: Fri Apr 28, 2017 4:09 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4082
Location: Chantilly, VA
Would silently dropping packets to that port work for you?

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Plesk 10.4.4 Webmail newsfeed "attack"
Unread postPosted: Sat Apr 29, 2017 4:42 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Yes that would work. Definitely.

Faris

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group