One of my customers has suddenly found themselves being regularly shunned by ASL due to rule 4151 triggering for multiple attempts to access port 8480 from the customer's IP.
Thanks to Lemonbit (or was it Breun) having posted about something similar in the past, a loud bell rang in the back of my head and I was able to identify and resolve the problem quickly.
The cause of the problem is the "newsfeed" function in Horde webmail in Plesk 10.4.4 (now EOL but I still have a system or two using it).
The newsfeed uses port 8480 for some reason, and even though it is supposedly turned off in Plesk via the appropriate interface controls visibility option, it has somehow, and mysteriously, started to try to access port 8480 again and in doing so triggering rule 4151 for this particular customer when they login to webmail.
Nothing has changed on the server side, so I really don't know why this suddenly started to happen.
I have commented out the newsfeed code in /usr/share/psa-horde/templates/portal/sidebar.inc so hopefully this will not happen again.
But I was wondering if there was a way for ASL to somehow safely detect and prevent shunning when this specific webmail problem event happens?
Although nothing is listening on port 8480, ideally I don't want to open it in the firewall.
Plesk 10.4.4 Webmail newsfeed "attack"
Plesk 10.4.4 Webmail newsfeed "attack"
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Plesk 10.4.4 Webmail newsfeed "attack"
Would silently dropping packets to that port work for you?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Plesk 10.4.4 Webmail newsfeed "attack"
Yes that would work. Definitely.
Faris
Faris
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>