Plesk 10.4.4 Webmail newsfeed "attack"

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Plesk 10.4.4 Webmail newsfeed "attack"

Unread post by faris »

One of my customers has suddenly found themselves being regularly shunned by ASL due to rule 4151 triggering for multiple attempts to access port 8480 from the customer's IP.

Thanks to Lemonbit (or was it Breun) having posted about something similar in the past, a loud bell rang in the back of my head and I was able to identify and resolve the problem quickly.

The cause of the problem is the "newsfeed" function in Horde webmail in Plesk 10.4.4 (now EOL but I still have a system or two using it).
The newsfeed uses port 8480 for some reason, and even though it is supposedly turned off in Plesk via the appropriate interface controls visibility option, it has somehow, and mysteriously, started to try to access port 8480 again and in doing so triggering rule 4151 for this particular customer when they login to webmail.

Nothing has changed on the server side, so I really don't know why this suddenly started to happen.

I have commented out the newsfeed code in /usr/share/psa-horde/templates/portal/sidebar.inc so hopefully this will not happen again.

But I was wondering if there was a way for ASL to somehow safely detect and prevent shunning when this specific webmail problem event happens?

Although nothing is listening on port 8480, ideally I don't want to open it in the firewall.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Plesk 10.4.4 Webmail newsfeed "attack"

Unread post by mikeshinn »

Would silently dropping packets to that port work for you?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Plesk 10.4.4 Webmail newsfeed "attack"

Unread post by faris »

Yes that would work. Definitely.

Faris
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply