Facebook
TwitterMiguel_Tellería
Basic Pleskian
[Plesk 12.0.18, CentOS 6.6]
Dear all,
I would like to ask for hints and ideas to restrict PHP and FastCGI processes to use port 25 directly.
Sometimes it is unavoidable, due to vulnerabilities in CMS systems, that attackers install an SMTP client bot that performs email sendings bypassing postfix, sendmail/mail() funcition and all limits imposed by Plesk.
Therefore we would like to restrict access to port 25 to web and PHP-Fastcgi applications beyond the mail() function and sending limits that Plesk already offers.
Here is our brainstorm of ideas. (Disclosure: SELinux comes first to my mind although being a complete newcomer I don't know if my SELinux proposal utterly make sense).
- Use SELinux to deny access to outgoing port 25 to php-cgi executables.
- Use SELinux to limit access to outgoing port 25 only to postfix executables.
- Use SELinux to limit access to outgoing port 25 only to postfix user (at least deny to all subscription users).
- Ban PHP API functions related to lowlevel socket handling.
- Closing outgoing port 25 completely with iptables and creating a tunnel with postfix to other host which would be email oriented.
Any ideas or hints would be welcome.
Dear all,
I would like to ask for hints and ideas to restrict PHP and FastCGI processes to use port 25 directly.
Sometimes it is unavoidable, due to vulnerabilities in CMS systems, that attackers install an SMTP client bot that performs email sendings bypassing postfix, sendmail/mail() funcition and all limits imposed by Plesk.
Therefore we would like to restrict access to port 25 to web and PHP-Fastcgi applications beyond the mail() function and sending limits that Plesk already offers.
Here is our brainstorm of ideas. (Disclosure: SELinux comes first to my mind although being a complete newcomer I don't know if my SELinux proposal utterly make sense).
- Use SELinux to deny access to outgoing port 25 to php-cgi executables.
- Use SELinux to limit access to outgoing port 25 only to postfix executables.
- Use SELinux to limit access to outgoing port 25 only to postfix user (at least deny to all subscription users).
- Ban PHP API functions related to lowlevel socket handling.
- Closing outgoing port 25 completely with iptables and creating a tunnel with postfix to other host which would be email oriented.
Any ideas or hints would be welcome.
