Plesk 10.4.4 Webmail newsfeed "attack"
Posted: Thu Apr 27, 2017 11:10 am
One of my customers has suddenly found themselves being regularly shunned by ASL due to rule 4151 triggering for multiple attempts to access port 8480 from the customer's IP.
Thanks to Lemonbit (or was it Breun) having posted about something similar in the past, a loud bell rang in the back of my head and I was able to identify and resolve the problem quickly.
The cause of the problem is the "newsfeed" function in Horde webmail in Plesk 10.4.4 (now EOL but I still have a system or two using it).
The newsfeed uses port 8480 for some reason, and even though it is supposedly turned off in Plesk via the appropriate interface controls visibility option, it has somehow, and mysteriously, started to try to access port 8480 again and in doing so triggering rule 4151 for this particular customer when they login to webmail.
Nothing has changed on the server side, so I really don't know why this suddenly started to happen.
I have commented out the newsfeed code in /usr/share/psa-horde/templates/portal/sidebar.inc so hopefully this will not happen again.
But I was wondering if there was a way for ASL to somehow safely detect and prevent shunning when this specific webmail problem event happens?
Although nothing is listening on port 8480, ideally I don't want to open it in the firewall.
Thanks to Lemonbit (or was it Breun) having posted about something similar in the past, a loud bell rang in the back of my head and I was able to identify and resolve the problem quickly.
The cause of the problem is the "newsfeed" function in Horde webmail in Plesk 10.4.4 (now EOL but I still have a system or two using it).
The newsfeed uses port 8480 for some reason, and even though it is supposedly turned off in Plesk via the appropriate interface controls visibility option, it has somehow, and mysteriously, started to try to access port 8480 again and in doing so triggering rule 4151 for this particular customer when they login to webmail.
Nothing has changed on the server side, so I really don't know why this suddenly started to happen.
I have commented out the newsfeed code in /usr/share/psa-horde/templates/portal/sidebar.inc so hopefully this will not happen again.
But I was wondering if there was a way for ASL to somehow safely detect and prevent shunning when this specific webmail problem event happens?
Although nothing is listening on port 8480, ideally I don't want to open it in the firewall.