Thanks for the tutorial, Chris.
I am just trying to reduce the attack surface on my server which
hosts both SurgeMail and Apache with several vhosts.
I have put all of SM management behind a reverse proxy that gets
forced to HTTPS and requires authentication.
I have tried to force SurgeWeb to require SSL.
I periodically scan logs looking for persistent attackers or
targets and I then I add IP blocks to the firewall or add Apache
alias rules that silently redirect "popular target URLs" to a
"phpwpoison" page.
So to answer your questions: 1)the log entries do bother me, but
I will try to reduce my inspection of them, 2)the load is
negligible at present, but they did saturate my connection when
they managed to brute-force the password to WordPress management,
3)yes, it is security and I have tried to ensure that any of the
login areas on the server require SSL.
So I am probably pretty good, but I think I will still disable
POP.
Thanks
Neil
On 2017-01-25 4:57 PM,
surgemail-support wrote:
The question is what are you trying to fix exactly,
1) Is it just the log entries that bother you.
2) is it load caused by the probing
3) is it security.
if it's '3', then you probably already have it fixed with
requiring ssl, but that doesn't really stop probing it just
stops 'dumb' probing, the settings below and on the referenced
web page will help a lot.
If it's '1', then stop reading them :-)
If it's '2', then it's probably not really causing significant
load (unless you have reason to believe otherwise...)
Here are some settings I would use...
# Block
guessing if a user tries an obvious admin account
G_HACKER_POISON HIDDEN@,administrator@*"
# Only
allow smtp logins if the user has previously logged in via
imap/pop from the same address
G_SAFE_SMTP
"true"
# Alert
users when logins occur from unknown addresses that are not
from australia or usa...
G_SAFE_WARNING
"true"
g_safe_country
"us,au"
# if you really want to disable pop, which is valid enough if
your users are all imap based...
g_pop_port "disabled"
You may find other info on this page useful:
http://netwinsite.com/surgemail/help/hackers.htm
ChrisP.
My server is getting hammered by POP login attempts.
I want to force all my real clients to use SSL IMAP only.
What settings do I need to:
1) force authenticated SSL logins for IMAP
2) completely ignore any POP logins (or force SSL if ignoring
is a bad idea)
3) force authenticated SSL logins for SMTP
Any other suggestions to get rid of these pests welcome.
Note: I thought I had already set things up to force SSL, but
I keep getting these failed log messages:
25 10:49:03.66:6852: xx-client-xx: pop: SSL required for ip (115.211.174.66) xx-client-xx
Neil
--
Neil Herber
--
Neil Herber
