Empowering Mail Server and slightly surreal Exim performance - Updated: Monday, Sep 17, 2023 01:05 (PST)

Your new/first Tips, tricks and tutorial forum.
Post Reply
User avatar
admin
Site Admin
Posts: 31
Joined: March 7th, 2022, 1:09 am

Empowering Mail Server and slightly surreal Exim performance - Updated: Monday, Sep 17, 2023 01:05 (PST)

Post by admin »

Empowering Mail Server and slightly surreal Exim performance

Few years ago...
My mail server Tweaked with Preserving the RAM disk through a Reboot.

Sometimes a server has to be shut down for servicing and you don't want to lose the email in the ram disk spool.
Here's a simple (Red Hat Linux-flavoured) script,
"exim-save", that I've installed as a service that backs up the queue to hard disk and restores it upon reboot.

Code: Select all

nano /etc/init.d/exim-save
Add the line with this:

Code: Select all

# Preserving the RAM disk through a Reboot
# exim-save    
# This shell script takes care of starting and stopping exim
#
# chkconfig: 2345 79 31
# description: Exim Save Data
# Source function library.
./etc/init.d/functions
[ -f /usr/sbin/exim ] || exit 0
start() {      
touch /var/lock/subsys/exim-save       
if [ -d /var/spool/exim-backup ]      
then          
cp -a /var/spool/exim-backup/* 
/var/spool/exim/           
rm -Rf /var/spool/exim-backup        
fi
}
stop() 
{        
rm -f /var/lock/subsys/exim-save       
if ! [ -d /var/spool/exim-backup ]        
then          
rm -Rf /var/spool/exim/db          
rm -Rf /var/spool/exim/scan          
rm /var/spool/exim/*.pid          
cp -a /var/spool/exim 
/var/spool/exim-backup          
rm -Rf /var/spool/exim/input        
fi
}
restart() 
{       
stop       
start
}
# See how we were called.
case "$1" in 
start)       
start       
;;
  stop)        
stop        
;;
  restart)        
restart        
;;
  *)       
echo $
"Usage: $0 {start|stop|restart}"       
exit 
1
esac
exit $RETVAL
I've installed it in the /etc/init.d/exim-save directory as a service and activate it by running:

Code: Select all

chkconfig exim-save on
And Now...

A Better Solution is... tmpfs

Instead of using a ramdisk, rather use tmpfs, supported by Linux kernel 2.4 and up.
The benefit of using tmpfs is... that memory is dynamically assignable, making it a far more flexible solution than ramdisks.
Additionally...
If your tmpfs partition runs out of space, the kernel will automatically begin paging data to your hard disk,
whereas the ramdisk solution would simply cause Exim to stop processing messages and crash.

Using tmpfs, you won't need to do any of the of the steps required for the above ramdisk solution.
The following steps are required for a successful tmpfs configuration:

Create a mountpoint and set correct permissions:

Code: Select all

mkdir /mnt/tmpfs
chown -R mailnull:mail /mnt/tmpfs
Next, open your /etc/fstab file and set the tmpfs partition to be created and mounted at boot:

Code: Select all

#<fs>       <mountpoint>        <type>       <opts>                             <dump/pass>
tmpfs       /mnt/tmpfs          tmpfs        size=1G,nr_inodes=10k,mode=0700    0 0
This will create a 1GB tmpfs partition with 10'000 inodes.
The exim configuration is the same as when creating a ramdisk - either tell Exim that the location of the new spool directory is located at:
/mnt/tmpfs
or
bind the existing spool directory to the mountpoint:
/mnt/tmpfs

Alternatively, you could just mount the tmpfs partition onto Exim's existing spool directory right from the start - so instead of the above changes to the /etc/fstab file, use this line instead:

Next, open your /etc/fstab file and set the tmpfs partition to be created and mounted at boot:
For server with RAM <=4GB

Code: Select all

#<fs>       <mountpoint>        <type>      <opts>                             <dump/pass>
tmpfs       /var/spool/exim      tmpfs      size=1G,nr_inodes=10k,mode=0700    0 0
or

For server with RAM >=8GB

Code: Select all

#<fs>       <mountpoint>        <type>      <opts>                             <dump/pass>
tmpfs       /var/spool/exim      tmpfs      size=4G,nr_inodes=4096k,mode=0700  0 0
For security reason, according to cPanel Mailserver Configuration settings:
Home /Service Configuration /Mailserver Configuration:

Important Note:
Email authentication requires a valid cPanel & WHM license. If your license expires, mail delivery will continue to function. However, your mail client will not authenticate with the cPanel & WHM server. You must renew your cPanel & WHM license to reenable this service.

Allow Plaintext Authentication (from remote clients)

This allows a remote mail client to authenticate without encryption.

Yes — Do not enforce encryption.
No — Enforce encryption for connections that do not come from the local server.

Important Note:
Use this setting to enforce encryption for remote webmail logins. We recommend using this setting instead of disabling IMAP.

This cPanel setting defaults to Yes.
Change it to No.
To avoid Spammer, Abuser and Phishing attackers that would try to connect to your mailserver.

Exception:
If your mail server using Dovecot to grab Bounced messages with POP3 such like: Advanced Bounce System tools...
Plaintext authentication should be allowed on non-secure (SSL/TLS) connections, so you need to choose this option:
Yes — Do not enforce encryption.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attacker can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

New and Updated!

To make my server more stable, more cleaner and more healthy...

Integrated GreenSnow Hacker List database IP within CSF Firewall : /etc/csf/csf.blocklists

Code: Select all

# GreenSnow Hack List
# Details: https://greensnow.co
GREENSNOW|86400|0|https://blocklist.greensnow.co/greensnow.txt
Integrated Stop Forum Spam database IP within CSF Firewall : /etc/csf/csf.blocklists

Code: Select all

# Stop Forum Spam
# Details: http://www.stopforumspam.com/downloads/
# Many of the lists available contain a vast number of IP addresses so special
# care needs to be made when selecting from their lists
STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip

# Stop Forum Spam IPv6
# Details: http://www.stopforumspam.com/downloads/
# Many of the lists available contain a vast number of IP addresses so special
# care needs to be made when selecting from their lists
STOPFORUMSPAMV6|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip
Integrated MaxMind GeoIP Anonymous Proxies database IP within CSF Firewall : /etc/csf/csf.blocklists

Code: Select all

# MaxMind GeoIP Anonymous Proxies
# Set URLGET in csf.conf to use LWP as this list uses an SSL connection
# Details: https://www.maxmind.com/en/anonymous_proxies
MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies
Integrating AbuseIPDB with CSF - Automatically Block Bad IPs within CSF Firewall : /etc/csf/csf.blocklists

Code: Select all

# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?key=YOUR_API_KEY&plaintext
Check the integration process with CSF Firewall:
The blocklist IP's added everyday and counting... to the firewall blocklist.

Code: Select all

[root@srv8 ~]# tail -F -n -90 /var/log/lfd.log
Sep 21 07:56:03 srv8 lfd[2969981]: Retrieved and blocking blocklist GREENSNOW IP address ranges
Sep 21 07:56:03 srv8 lfd[2969981]: IPSET: loading set new_GREENSNOW with 5505 entries
Sep 21 07:56:03 srv8 lfd[2969981]: IPSET: switching set new_GREENSNOW to bl_GREENSNOW
Sep 21 07:56:04 srv8 lfd[2969981]: Retrieved and blocking blocklist STOPFORUMSPAMV6 IP address ranges
Sep 21 07:56:04 srv8 lfd[2969981]: CC: Unzipped Blocklist STOPFORUMSPAMV6 [/var/lib/csf/csf.block.STOPFORUMSPAMV6.zip]
Sep 21 07:56:05 srv8 lfd[2969981]: IPSET: loading set new_STOPFORUMSPAMV6 with 0 entries
Sep 21 07:56:05 srv8 lfd[2969981]: IPSET: switching set new_STOPFORUMSPAMV6 to bl_STOPFORUMSPAMV6
Sep 21 07:56:08 srv8 lfd[2969981]: Retrieved and blocking blocklist STOPFORUMSPAM IP address ranges
Sep 21 07:56:08 srv8 lfd[2969981]: CC: Unzipped Blocklist STOPFORUMSPAM [/var/lib/csf/csf.block.STOPFORUMSPAM.zip]
Sep 21 07:56:08 srv8 lfd[2969981]: IPSET: loading set new_STOPFORUMSPAM with 4459 entries
Sep 21 07:56:08 srv8 lfd[2969981]: IPSET: switching set new_STOPFORUMSPAM to bl_STOPFORUMSPAM
Sep 21 08:25:32 srv8 lfd[2999482]: Retrieved and blocking blocklist ABUSEIPDB IP address ranges
Sep 21 08:25:33 srv8 lfd[2999482]: IPSET: loading set new_ABUSEIPDB with 7610 entries
Sep 21 08:25:33 srv8 lfd[2999482]: IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB
Sep 21 11:45:51 srv8 lfd[3086462]: Retrieved and blocking blocklist MAXMIND IP address ranges
Sep 21 11:45:52 srv8 lfd[3086462]: IPSET: loading set new_MAXMIND with 24 entries
Sep 21 11:45:52 srv8 lfd[3086462]: IPSET: switching set new_MAXMIND to bl_MAXMIND
Sep 22 00:00:03 srv8 lfd[2999473]: Main Process: TERM
Sep 22 00:00:03 srv8 lfd[2999473]: daemon stopped
Sep 22 00:00:04 srv8 lfd[3311088]: daemon started on srv8.jsalfianmarketing.com - csf v14.19 (cPanel)
Sep 22 00:00:04 srv8 lfd[3311088]: LF_APACHE_ERRPORT: Set to [2]
Sep 22 00:00:04 srv8 lfd[3311088]: Restricting syslog/rsyslog socket acccess to group [mysyslog]...
Sep 22 00:00:05 srv8 lfd[3311088]: EasyApache4, using /etc/apache2/logs/error_log instead of /usr/local/apache/logs/error_log (Web Server)
Sep 22 00:00:05 srv8 lfd[3311088]: EasyApache4, using /etc/apache2/logs/error_log instead of /usr/local/apache/logs/error_log {ModSecurity}
Sep 22 00:00:05 srv8 lfd[3311088]: CSF Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: LOAD Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Blocklist Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Country Code Lookups...
Sep 22 00:00:05 srv8 lfd[3311088]: Country Code Filters...
Sep 22 00:00:05 srv8 lfd[3311088]: System Integrity Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Exploit Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Directory Watching...
Sep 22 00:00:05 srv8 lfd[3311088]: Email Queue Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: ModSecurity IP D/B Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Temp to Perm Block Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: System Statistics...
Sep 22 00:00:05 srv8 lfd[3311088]: WHM Tracking...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /var/log/secure...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /var/log/exim_mainlog...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /usr/local/cpanel/logs/login_log...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /usr/local/cpanel/logs/access_log...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /var/log/messages...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /etc/apache2/logs/error_log...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /var/log/maillog...
Sep 22 00:00:05 srv8 lfd[3311088]: Watching /var/log/customlog...
Sep 22 08:00:56 srv8 lfd[3473823]: Retrieved and blocking blocklist STOPFORUMSPAMV6 IP address ranges
Sep 22 08:00:56 srv8 lfd[3473823]: CC: Unzipped Blocklist STOPFORUMSPAMV6 [/var/lib/csf/csf.block.STOPFORUMSPAMV6.zip]
Sep 22 08:00:58 srv8 lfd[3473823]: IPSET: loading set new_STOPFORUMSPAMV6 with 0 entries
Sep 22 08:00:58 srv8 lfd[3473823]: IPSET: switching set new_STOPFORUMSPAMV6 to bl_STOPFORUMSPAMV6
Sep 22 08:01:01 srv8 lfd[3473823]: Retrieved and blocking blocklist STOPFORUMSPAM IP address ranges
Sep 22 08:01:01 srv8 lfd[3473823]: CC: Unzipped Blocklist STOPFORUMSPAM [/var/lib/csf/csf.block.STOPFORUMSPAM.zip]
Sep 22 08:01:01 srv8 lfd[3473823]: IPSET: loading set new_STOPFORUMSPAM with 4316 entries
Sep 22 08:01:01 srv8 lfd[3473823]: IPSET: switching set new_STOPFORUMSPAM to bl_STOPFORUMSPAM
Sep 22 08:01:05 srv8 lfd[3473823]: Retrieved and blocking blocklist GREENSNOW IP address ranges
Sep 22 08:01:06 srv8 lfd[3473823]: IPSET: loading set new_GREENSNOW with 4608 entries
Sep 22 08:01:06 srv8 lfd[3473823]: IPSET: switching set new_GREENSNOW to bl_GREENSNOW
Sep 22 08:26:03 srv8 lfd[3532035]: Retrieved and blocking blocklist ABUSEIPDB IP address ranges
Sep 22 08:26:04 srv8 lfd[3532035]: IPSET: loading set new_ABUSEIPDB with 8527 entries
Sep 22 08:26:04 srv8 lfd[3532035]: IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB
[root@srv8 ~]
New and Updated!
And running good so far...

Code: Select all

root@srv8 ~]# tail -n 30 /var/log/exim_mainlog
2023-09-19 03:21:22 SMTP connection from (localhost) [127.0.0.1]:54422 closed by QUIT
2023-09-19 03:25:30 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 03:25:34 SMTP connection from [154.16.168.111]:63294 (TCP/IP connection count = 1)
2023-09-19 03:25:34 SMTP connection from [154.16.168.111]:63296 (TCP/IP connection count = 2)
2023-09-19 03:25:34 SMTP connection from [154.16.168.111]:63299 (TCP/IP connection count = 3)
2023-09-19 03:25:35 SMTP connection from [154.16.168.111]:63312 (TCP/IP connection count = 4)
2023-09-19 03:25:35 SMTP connection from [154.16.168.111]:63323 (TCP/IP connection count = 5)
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:35 SMTP connection from [154.16.168.111]:63325 (TCP/IP connection count = 6)
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:35 no host name found for IP address 154.16.168.111
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63294 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63294 closed by DROP in ACL
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63296 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63296 closed by DROP in ACL
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63299 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63299 closed by DROP in ACL
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63312 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63312 closed by DROP in ACL
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63323 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63323 closed by DROP in ACL
2023-09-19 03:25:55 H=(ZainHosting-com) [154.16.168.111]:63325 rejected MAIL <spameri@tiscali.it>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2023-09-19 03:25:55 SMTP connection from (ZainHosting-com) [154.16.168.111]:63325 closed by DROP in ACL
2023-09-19 03:43:06 TLS error on connection from [205.210.31.23]:59814 (SSL_accept): error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
2023-09-19 03:45:32 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 03:49:21 SMTP connection from [71.6.134.230]:38994 (TCP/IP connection count = 1)
2023-09-19 03:49:22 no host name found for IP address 71.6.134.230
2023-09-19 03:49:22 H=[71.6.134.230]:38994 rejected connection in "connect" ACL: Host is banned
2023-09-19 03:49:22 SMTP connection from [71.6.134.230]:38994 closed by DROP in ACL
2023-09-19 03:49:30 SMTP connection from [79.124.8.18]:59313 (TCP/IP connection count = 1)
2023-09-19 03:49:30 H=[79.124.8.18]:59313 rejected connection in "connect" ACL: Country is banned
2023-09-19 03:49:30 SMTP connection from [79.124.8.18]:59313 closed by DROP in ACL
2023-09-19 03:49:30 no host name found for IP address 79.124.8.18
2023-09-19 03:50:32 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 03:55:09 SMTP connection from [167.94.138.127]:46064 (TCP/IP connection count = 1)
2023-09-19 03:55:09 H=scanner-27.ch1.censys-scanner.com [167.94.138.127]:46064 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no rejected connection in "connect" ACL: Host is banned
2023-09-19 03:55:09 SMTP connection from scanner-27.ch1.censys-scanner.com [167.94.138.127]:46064 closed by DROP in ACL
2023-09-19 03:55:33 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 03:56:44 SMTP connection from [61.180.116.198]:41202 (TCP/IP connection count = 1)
2023-09-19 03:56:44 H=[61.180.116.198]:41202 rejected connection in "connect" ACL: Country is banned
2023-09-19 03:56:44 SMTP connection from [61.180.116.198]:41202 closed by DROP in ACL
2023-09-19 04:09:34 SMTP connection from [102.214.16.209]:40008 (TCP/IP connection count = 1)
2023-09-19 04:09:35 H=[102.214.16.209]:40008 rejected connection in "connect" ACL: Country is banned
2023-09-19 04:09:35 SMTP connection from [102.214.16.209]:40008 closed by DROP in ACL
2023-09-19 04:09:35 no host name found for IP address 102.214.16.209
2023-09-19 04:10:35 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 04:10:48 SMTP connection from [80.66.88.204]:65338 (TCP/IP connection count = 1)
2023-09-19 04:10:48 H=[80.66.88.204]:65338 rejected connection in "connect" ACL: Country is banned
2023-09-19 04:10:48 SMTP connection from [80.66.88.204]:65338 closed by DROP in ACL
2023-09-19 04:10:48 no host name found for IP address 80.66.88.204
2023-09-19 04:11:30 SMTP connection from [127.0.0.1]:33328 (TCP/IP connection count = 1)
2023-09-19 04:11:32 SMTP connection from [127.0.0.1]:33328 closed by QUIT
2023-09-19 04:11:32 SMTP connection from [127.0.0.1]:54728 (TCP/IP connection count = 1)
2023-09-19 04:11:32 SMTP connection from (localhost) [127.0.0.1]:54728 closed by QUIT
2023-09-19 04:15:13 SMTP connection from [34.227.19.103]:46160 (TCP/IP connection count = 1)
2023-09-19 04:15:28 H=starttls-virginia.securing-email.com [34.227.19.103]:46160 rejected connection in "connect" ACL: Host is banned
2023-09-19 04:15:28 SMTP connection from starttls-virginia.securing-email.com [34.227.19.103]:46160 closed by DROP in ACL
2023-09-19 04:15:35 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2023-09-19 04:15:45 SMTP connection from [198.235.24.31]:60194 (TCP/IP connection count = 1)
2023-09-19 04:15:46 no host name found for IP address 198.235.24.31
2023-09-19 04:15:46 H=[198.235.24.31]:60194 rejected connection in "connect" ACL: Host is banned
2023-09-19 04:15:46 SMTP connection from [198.235.24.31]:60194 closed by DROP in ACL
2023-09-19 07:01:16 SMTP connection from [216.218.206.72]:30801 (TCP/IP connection count = 1)
2023-09-19 07:01:20 H=scan-07a.shadowserver.org [216.218.206.72]:30801 rejected connection in "connect" ACL: Host is banned
2023-09-19 07:01:20 SMTP connection from scan-07a.shadowserver.org [216.218.206.72]:30801 closed by DROP in ACL
2023-09-19 07:03:07 SMTP connection from [71.6.232.20]:53284 (TCP/IP connection count = 1)
2023-09-19 07:03:07 no host name found for IP address 71.6.232.20
2023-09-19 07:03:07 H=[71.6.232.20]:53284 rejected connection in "connect" ACL: Host is banned
2023-09-19 07:03:07 SMTP connection from [71.6.232.20]:53284 closed by DROP in ACL
[root@srv8 ~]# 
OWASP ModSecurity Core Rule Set V3.0 provided by cPanel
(SpiderLabs OWASP curated ModSecurity rule set)

We've also use the OWASP ModSecurity rule set which aim to curate the OWASP rule set to reduce the potential for false positives, the rule set may block legitimate traffic.

Protection from insecure web application design — ModSecurity rule sets can provide a layer of protection for web applications such as WordPress®, phpBB®, or other types of web applications. It can potentially protect against vulnerabilities in out-of-date web applications that protect against vulnerabilities in unpatched, out-of-date applications. If the developer of an application makes a security mistake, ModSecurity may block a security attack before it can access the vulnerable application.

Protection against operating system level attack — ModSecurity rule sets can protect against attacks that exploit the operating system of your server. For example, in 2014, there was a security flaw in the Bash shell program that Linux servers use. Security experts created ModSecurity rules to disallow the use of the exploit thought Apache. Server administrators used these ModSecurity rules and added additional security to their system until the release of a security patch for Bash shell.

Protect against generalized malicious traffic — Some of the security threats that server administrators face may not directly attack a program or application on your server. DoS (Denial of Service) attacks, for example, are common attacks. You can reduce the impact of such malicious traffic through the use of ModSecurity rules.

GOTCHA...!

Code: Select all

[root@srv8 ~]# tail -n -30 /var/log/lfd.log
Sep 27 00:00:04 srv8 lfd[1706942]: Temp to Perm Block Tracking...
Sep 27 00:00:04 srv8 lfd[1706942]: System Statistics...
Sep 27 00:00:05 srv8 lfd[1706942]: WHM Tracking...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /var/log/messages...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /var/log/maillog...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /var/log/secure...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /usr/local/cpanel/logs/login_log...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /var/log/customlog...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /usr/local/cpanel/logs/access_log...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /var/log/exim_mainlog...
Sep 27 00:00:05 srv8 lfd[1706942]: Watching /etc/apache2/logs/error_log...
Sep 27 08:16:00 srv8 lfd[1860252]: Retrieved and blocking blocklist STOPFORUMSPAM IP address ranges
Sep 27 08:16:00 srv8 lfd[1860252]: CC: Unzipped Blocklist STOPFORUMSPAM [/var/lib/csf/csf.block.STOPFORUMSPAM.zip]
Sep 27 08:16:01 srv8 lfd[1860252]: IPSET: loading set new_STOPFORUMSPAM with 4449 entries
Sep 27 08:16:01 srv8 lfd[1860252]: IPSET: switching set new_STOPFORUMSPAM to bl_STOPFORUMSPAM
Sep 27 08:16:02 srv8 lfd[1860252]: Retrieved and blocking blocklist STOPFORUMSPAMV6 IP address ranges
Sep 27 08:16:02 srv8 lfd[1860252]: CC: Unzipped Blocklist STOPFORUMSPAMV6 [/var/lib/csf/csf.block.STOPFORUMSPAMV6.zip]
Sep 27 08:16:04 srv8 lfd[1860252]: IPSET: loading set new_STOPFORUMSPAMV6 with 0 entries
Sep 27 08:16:04 srv8 lfd[1860252]: IPSET: switching set new_STOPFORUMSPAMV6 to bl_STOPFORUMSPAMV6
Sep 27 08:16:08 srv8 lfd[1860252]: Retrieved and blocking blocklist GREENSNOW IP address ranges
Sep 27 08:16:09 srv8 lfd[1860252]: IPSET: loading set new_GREENSNOW with 4119 entries
Sep 27 08:16:09 srv8 lfd[1860252]: IPSET: switching set new_GREENSNOW to bl_GREENSNOW
Sep 27 08:41:01 srv8 lfd[1868943]: Retrieved and blocking blocklist ABUSEIPDB IP address ranges
Sep 27 08:41:02 srv8 lfd[1868943]: IPSET: loading set new_ABUSEIPDB with 8606 entries
Sep 27 08:41:02 srv8 lfd[1868943]: IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB
Sep 27 12:01:24 srv8 lfd[1983448]: Retrieved and blocking blocklist MAXMIND IP address ranges
Sep 27 12:01:25 srv8 lfd[1983448]: IPSET: loading set new_MAXMIND with 24 entries
Sep 27 12:01:25 srv8 lfd[1983448]: IPSET: switching set new_MAXMIND to bl_MAXMIND
Sep 27 16:22:09 srv8 lfd[2066949]: (mod_security) mod_security (id:949110) triggered by 162.19.145.47 (FR/France/ip47.ip-162-19-145.eu): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_MODSEC]
Sep 27 16:22:10 srv8 lfd[2066949]: (mod_security) mod_security (id:949110) triggered by 162.19.145.47 (FR/France/ip47.ip-162-19-145.eu): 5 in the last 3600 secs - *Blocked in csf* port=443 [LF_MODSEC]
Sep 28 20:24:23 srv8 lfd[2587305]: (mod_security) mod_security (id:949110) triggered by 178.128.18.247 (SG/Singapore/-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_MODSEC]
Sep 28 20:24:24 srv8 lfd[2587305]: (mod_security) mod_security (id:949110) triggered by 178.128.18.247 (SG/Singapore/-): 5 in the last 3600 secs - *Blocked in csf* port=443 [LF_MODSEC]
[root@srv8 ~]#
Checked within 103 RBL's
(You might need to open this image in the new tab for sure)
(Pointing you cursor tho the image below, right click the image option, and choose open the image in the new tab, click the image to maximize)
Mail Server SMTP IP: Srv8.JSalfianMarketing.Com
Image
Domain IP: JSalfianMarketing.Com
Image
Domain IP: Marketer-Safelist.Com
Image
Domain IP: MailerSafelist.Com
Image
Post Reply