cancel
Showing results for 
Search instead for 
Did you mean: 

Blocked hosting on Plusnet

gofaster
Rising Star
Posts: 369
Thanks: 16
Registered: ‎01-08-2007

Re: Blocked hosting on Plusnet

I would suspect that SpamSieve is the culprit.
HostPapa said that more than 60 email connects in 24 hours would block an ip address.
If SpamSieve is checking for new emails regularly (i.e more often than once every 24 minutes), it could easily bust that limit.
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Quote from: Chris
Quote
Okay it's happened again and they say it's due to excessive port scans in a given period which is causing the block. They (Hostpapa) say that either my ftp client is doing it or there may be a virus causing it.

I'm assuming as they have said it might be your FTP client doing this that the port scans they are seeing are on port 21?
You could try running Wireshark on whichever machine you  generally use and then search the output file for the hosting company IP address.

Eventually got Wireshark installed, it requires X11 which isn't on OS X 10.10 (Yosemite) Quartz is the substitute. I'll let you know what's happening once it's had a look around.
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Quote from: jelv
Have they confirmed that it is an individual IP that is being blocked or an IP subnet? It could easily be the latter and therefore nothing to do with you that triggers the block.

They say IP, I'll check with them if it happens again.
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Quote from: gofaster
I would suspect that SpamSieve is the culprit.
HostPapa said that more than 60 email connects in 24 hours would block an ip address.
If SpamSieve is checking for new emails regularly (i.e more often than once every 24 minutes), it could easily bust that limit.

That's a thought, my emails are IMAP so that Spam Sieve sits on one Mac (my office mac) and dumps the spam and forwards the good stuff. It's set to check mail automatically and if I click check mail on top of that then that could be it from their wording. Maybe if I set it to fixed period it might be a good idea. I'll give that a try.
Thanks.
Chris
Legend
Posts: 17,724
Thanks: 600
Fixes: 169
Registered: ‎05-04-2007

Re: Blocked hosting on Plusnet

Good suggestion, let us know how it goes. I'd be interested to see if this is the issue.
Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Okay to answer a couple of things. Having had my own account blocked now  Crazy (same IP Address) Hostpapa say it's my personal IP that's getting blocked not the IP subnet as suggested by JELV
I thought I'd stopped spamSieve from fetching mail so often but I may not have Although I've stopped 'Mail' from fetching automatically and changed that to half hourly. Next step is to contact Spamsieve for guidance.
I've downloaded Wireshark but am utterly clueless how to use it. My expertise in these things isn't great. Just basics.
Thanks so far guys. Still investigating.
npr
Pro
Posts: 1,898
Thanks: 119
Fixes: 9
Registered: ‎21-01-2013

Re: Blocked hosting on Plusnet

Quote from: Word

I've downloaded Wireshark but am utterly clueless how to use it. My expertise in these things isn't great. Just basics.

This may help:
http://community.talktalk.co.uk/eigde79682/attachments/eigde79682/fibre/46841/1/Taking%20a%20Wiresha...
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Okay thanks, It'll have to wait till tomorrow now. I'll keep you all posted.
jim:quote
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Blocked hosting on Plusnet

Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Cheers. now I must go, will catch up tomorrow.
jim:quote
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

First of all, apologies for contravening forum rules  Embarrassed
Secondly, I am now waiting, yet again for live support at host papa to clear the block.
Wireshark is a total mystery to me still even though I've watched the video when I have more time I'll sit down and fathom it out.
Question:
If Spamsieve is the culprit surely both host papa accounts I use would be blocked at the same time wouldn't they? It just seems a bit random at the moment. My own personal account has been blocked today but the other isn't. They're both on the same IP address.
Just for good measure and without any good reason I've repaired disk permissions, don't suppose that could be having an effect but it did a lot of repairs.
Just going to have a lie down in a dark room now as my brain hurts. Far too much for "a bear of very little brain" Thanks so far for assistance guys. If you see a small nuclear explosion over the midlands it's probably me  Crazy Crazy Crazy
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

Okay, latest info I have is that it is an email login issue.
Quote
Chain num pkts bytes target prot opt in out source destination
DENYIN 1172 935 54898 DROP all -- !lo * **.**.***.*** 0.0.0.0/0
DENYOUT 1172 207 53686 DROP all -- * !lo 0.0.0.0/0 * **.**.***.***
Temporary Blocks: IP:* **.**.***.*** Port: Dir:inout TTL:3600 (lfd - (smtpauth) Failed SMTP AUTH login from * **.**.***.*** (GB/United Kingdom/********.plus.com): 10 in the last 300 secs

I've substituted personal info and IP address with asterisks. They're suggesting that if maybe cached.
Quote
You may have saved email passwords in your browser or email client. Please clear your all browsers caches.

It just seems so random that it's either, one or the other account or both.
Does this pour any light on things now, I'm still in the dark.
WWWombat
Grafter
Posts: 1,412
Thanks: 4
Registered: ‎29-01-2009

Re: Blocked hosting on Plusnet

Some questions:
Quote from: Word
Chain   num  pkts bytes target prot opt in  out source        destination 
DENYIN  1172 935  54898 DROP  all  --  !lo *  **.**.***.*** 0.0.0.0/0
DENYOUT 1172 207  53686 DROP  all  --  *  !lo 0.0.0.0/0    * **.**.***.***
Temporary Blocks: IP:* **.**.***.*** Port: Dir:inout TTL:3600 (lfd - (smtpauth) Failed SMTP AUTH login from * **.**.***.*** (GB/United Kingdom/********.plus.com): 10 in the last 300 secs


Where does this snippet of output come from? A server that you run, or one that Hostpapa runs?
Quote
It just seems so random that it's either, one or the other account or both.

It isn't clear to me what you mean by "account" here. Can you explain the relationship between email accounts and servers (or services) that you rent from hostpapa? Does each "account" reside on a separate remote server, with a separate IP address?
Anyway...
The mention of "lfd" in the last line of the snippet suggests that the output has been generated by a firewall package known as "CSF/LFD", or the "ConfigServer Firewall" plus "Login Failure Daemon". The firewall's job is to allow only a small set of connections through to the server. LFD's job is to monitor connections that make it past the firewall, but then turn out to regularly fail authentication during the login process ... once detected, it locks them out for a period by putting a temporary restriction in the firewall. The TTL value suggest the lockout is for an hour.
LFD is also capable of monitoring the rate at which valid logins happen, in an attempt to prevent overload. However, the last line of the snippet suggest you haven't been hit by this... not at that time, anyway.
The first three lines in the snippet look like the temporary block in the firewall. It looks very much like the output from the Linux "iptables" command. The entries would appear to intercept any traffic either to or from your IP address.
If this sounds like something on a server you run, then there are three things to do:

  • As Hostpapa suggests, you should find out what device/user/service is making the failed login attempts. Wireshark may help you there, but you might need to run it on the server.

  • You should amend the firewall to specify at least one IP address that is *always* allowed through the firewall - so that you can always get in to perform admin tasks.
    In CSF, you need to amend /etc/csf/csf.allow
    You obviously want to allow your Plusnet IP address there. If you have 2 servers, with an IP address each, you might want to include the address of the other server on each ... that way you can always get in from one to the other.

  • If you hit the limit of too many valid login attempts in a period, you might want to tune LFD to allow what you want to achieve.


If Hostpapa runs the server in question, then there isn't much you can do beyond finding the rogue process.
Quote
It just seems so random that it's either, one or the other account or both.

It might just be luck on the timing.
The lockout will be for one hour - then you'll be allowed in again until LFD detects too many failures - which, by the snippet, might take 300 secs. That means each server (if you have two) is accessible for 5 minutes in every 65. Quite likely to be a different 5 minutes.
Plusnet Customer
Using FTTC since 2011. Currently on 80/20 Unlimited Fibre Extra.
Word_Warrior
Grafter
Posts: 503
Registered: ‎30-07-2007

Re: Blocked hosting on Plusnet

The snippet was given to me by host papa support from their firewall report but they couldn't tell me which email it was that was causing the issue but given both accounts are affected it's likely to be more than one of the several URL's.
'Accounts' are my URL's and associated emails. Host papa use the ubiquitous cPanel and you can set up your emails in that byname@mydomain.com etc
Quote
The TTL value suggest the lockout is for an hour.
This would explain the occasional 'lost then back' nature I sometimes get.
I have two 'accounts' with host papa, one for the said rugby club website, gallery and accompanying emails. and the other is my own account.
both use host papa servers with cPanel All there is on the rugby club servers is http://bromsgroverfc.co.uk and http://gallery.bromsgroverfc.co.uk and a bunch of emails for various officers including myself.
My own server space on host papa has four websites with their own URL's a photogallery and connected emails.
Both sets of servers websites use either Joomla (both 2.5.xx & 3.x.x versions) wordpress (yuk) and piwigo gallery software installed using Softaculous onto the servers and databases.
That's as much as I know I think.
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: Blocked hosting on Plusnet

smtpauth surely is something try to send emails via host papa not retrieving emails which would either be POP3 or IMAP.
If this is something always on your own connection (and not on a laptop you use elsewhere) there's no reason not to use the plusnet relay to send messages. Plusnet do not block outgoing emails with different domains as the sender.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)