Authentication attempts for xxx@com.au addresses

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication attempts for xxx@com.au addresses

James Brown
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: someone123)

Also [hidden email] etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

Thanks,

James.



Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Drexl Spivey
You will need to install fail2ban to ip block failed attempts.

As you have correctly assumed, a malicious person is trying to hack into you mail server.

Fail2ban is a required application now and days.

On April 2, 2019 8:57:06 AM GMT+02:00, James Brown <[hidden email]> wrote:
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: someone123)

Also [hidden email] etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

Thanks,

James.




--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Ron Wheeler

There does not seem to be a completely foolproof and easy to manage solution.

In my case, I modified the fail2ban time in jail to block the IP for days rather than hours and did a close look at the expressions defining the bad attempts to be sure that I got all (I hope) of the cases that were appearing.
They will run out of compromised sites/IPs at some point.
If you notice that the blocked IPs show entire class C blocks that are in countries where you do not really care about serving, you can manually block the entire class C at the outside edge of your firewall until someone that you actually want to let in complains.


If you have sshd running, that is another critical service to watch.

Everything is under attack all the time and the huge amount of money spent by G7 governments on cybersecurity is not having any noticeable reduction in this annoyance.
Sorry for the short rant but we should not have to waste so much energy and bandwidth on this given the billions (pick a currency) that are being spent.
I am afraid that it is mostly spent on training people who were not recruited with the right skills and going to international conferences to talk about how serious the problem is.

Ron


On 4/2/19 8:10 AM, James Brown wrote:
Thanks Esteban. I have fail2ban installed. Unfortunately each attempt comes from a different IP (botnet I presume). I’m finding this all the time now, so fail2ban seems to be no longer much use.

Was just hoping there was a Postfix or Dovecot setting I could use to ignore these submission attempts.

James.


On 2 Apr 2019, at 7:43 pm, Esteban L <[hidden email]> wrote:

You will need to install fail2ban to ip block failed attempts.

As you have correctly assumed, a malicious person is trying to hack into you mail server.

Fail2ban is a required application now and days.

On April 2, 2019 8:57:06 AM GMT+02:00, James Brown <[hidden email]> wrote:
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: someone123)

Also [hidden email] etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

Thanks,

James.




--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Michael-4
This will only help if you're getting multiple attempts from one subnet,
but I've been able to use fail2ban to block IP ranges instead of single
IPs. You just have to be careful or you may block more IPs than you
want. I recommend setting fail2ban to NOT start up on boot while testing
in case you lock yourself out. You can reboot your VM to regain access.

Create a custom action file

   cp action.d/iptables-multiport.conf
action.d/iptables-multiport-subnet.local

Comment out the default ban and unban lines, and replace them with
these:

     actionban = <iptables> -I f2b-<name> 1 -s `echo <ip> | sed -e
"s/\([0-9]*.\)\([0-9]*.\)\([0-9]*.\)\([0-9]*\)/\1\2\30\/24/"` -j
<blocktype>
     actionunban = <iptables> -D f2b-<name> -s `echo <ip> | sed -e
"s/\([0-9]*.\)\([0-9]*.\)\([0-9]*.\)\([0-9]*\)/\1\2\30\/24/"` -j
<blocktype>

Then in your jail.local, you add this to the specific jail you want to
block subnets on. I don't recommend using this as the default for all
jails.
     banaction = iptables-multiport-subnet



On 2019-04-02 8:30 am, Ron Wheeler wrote:

> There does not seem to be a completely foolproof and easy to manage
> solution.
>
> In my case, I modified the fail2ban time in jail to block the IP for
> days rather than hours and did a close look at the expressions defining
> the bad attempts to be sure that I got all (I hope) of the cases that
> were appearing.
> They will run out of compromised sites/IPs at some point.
> If you notice that the blocked IPs show entire class C blocks that are
> in countries where you do not really care about serving, you can
> manually block the entire class C at the outside edge of your firewall
> until someone that you actually want to let in complains.
>
> If you have sshd running, that is another critical service to watch.
>
> Everything is under attack all the time and the huge amount of money
> spent by G7 governments on cybersecurity is not having any noticeable
> reduction in this annoyance.
> Sorry for the short rant but we should not have to waste so much energy
> and bandwidth on this given the billions (pick a currency) that are
> being spent.
> I am afraid that it is mostly spent on training people who were not
> recruited with the right skills and going to international conferences
> to talk about how serious the problem is.
>
> Ron
>
> On 4/2/19 8:10 AM, James Brown wrote: Thanks Esteban. I have fail2ban
> installed. Unfortunately each attempt comes from a different IP (botnet
> I presume). I'm finding this all the time now, so fail2ban seems to be
> no longer much use.
>
> Was just hoping there was a Postfix or Dovecot setting I could use to
> ignore these submission attempts.
>
> James.
>
> On 2 Apr 2019, at 7:43 pm, Esteban L <[hidden email]> wrote:
>
> You will need to install fail2ban to ip block failed attempts.
>
> As you have correctly assumed, a malicious person is trying to hack
> into you mail server.
>
> Fail2ban is a required application now and days.
>
> On April 2, 2019 8:57:06 AM GMT+02:00, James Brown
> <[hidden email]> wrote:
>
> Not sure if this is a Dovecot or Postfix issue we use Dovecot for
> authentication for Postfix. Mailboxes are stored in MySQL.
>
> Have noticed this today:
>
> auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user
> (given password: someone123)
>
> Also [hidden email] etc.
>
> They are coming through on port 465.
>
> Obviously my domain is not 'com.au' - how can I stop these attempts
> from even being considered?
>
> I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.
>
> Thanks,
>
> James.
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Dominic Raferd
In reply to this post by Drexl Spivey


On Tue, 2 Apr 2019 at 09:45, Esteban L <[hidden email]> wrote:
You will need to install fail2ban to ip block failed attempts.

As you have correctly assumed, a malicious person is trying to hack into you mail server.

Fail2ban is a required application now and days.

On April 2, 2019 8:57:06 AM GMT+02:00, James Brown <[hidden email]> wrote:
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: someone123)

Also [hidden email] etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

OP: since the attempts *are* being blocked by dovecot (via postfix) are you sure you need to do anything? Unless the attempts are putting your system under such load that it might fail to provide good service I think you should stop worrying. Alternatively if you can identify a unique pattern in the client names for these hack attempts that might provide another way to block them.

BTW, where authentication is attempted for a real user but with a wrong password we regard it as helpful - we use the data to warn users about passwords that they might have used elsewhere but which have now escaped into bad hands. It has picked up several real world cases (where email/password data on external websites had evidently been hacked). (This strategy might not be appropriate for a third-party mail provider but it works for us.)
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Drexl Spivey
In reply to this post by Drexl Spivey
I agree with Ron Wheeler.

The default settings for Dovecot and Postfix are solid. The default settings for Fail2ban, on the other hand, are inadequate. Not because its a bad program, but rather that 1.) the default settings are a little lenient, and 2.) hackers know those default settings.

You'll need to set the findtime, jailtime, and attempts more strict.


I set the findtime to an hour, the jail time to a month, and attempts to 2.

The times are in seconds, so you'll need to calculate those times.




On April 2, 2019 2:10:24 PM GMT+02:00, James Brown <[hidden email]> wrote:
Thanks Esteban. I have fail2ban installed. Unfortunately each attempt comes from a different IP (botnet I presume). I’m finding this all the time now, so fail2ban seems to be no longer much use.

Was just hoping there was a Postfix or Dovecot setting I could use to ignore these submission attempts.

James.


On 2 Apr 2019, at 7:43 pm, Esteban L <[hidden email]> wrote:

You will need to install fail2ban to ip block failed attempts.

As you have correctly assumed, a malicious person is trying to hack into you mail server.

Fail2ban is a required application now and days.

On April 2, 2019 8:57:06 AM GMT+02:00, James Brown <[hidden email]> wrote:
Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: someone123)

Also [hidden email] etc.

They are coming through on port 465.

Obviously my domain is not ‘com.au’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.

Thanks,

James.




--
Sent from my Android device with K-9 Mail. Please excuse my brevity.


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

@lbutlr
On 2 Apr 2019, at 14:30, Esteban L <[hidden email]> wrote:
> The times are in seconds, so you'll need to calculate those times.

a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day.

BTW, pi seconds is very close to 1 nano century.


--
<[TN]FBMachine> I got kicked out of Barnes and Noble once for moving all
the bibles into the fiction section


Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Curtis Maurand


On 4/2/19 5:39 PM, @lbutlr wrote:
> On 2 Apr 2019, at 14:30, Esteban L <[hidden email]> wrote:
>> The times are in seconds, so you'll need to calculate those times.
> a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day.
>
> BTW, pi seconds is very close to 1 nano century.
>
>
I agree with @ibutr that 86400 is a good number. Now to find the where
to change the iptables rule to "-j DROP"

I like to just silently drop the connection. It becomes a sort of
reverse DOS in that they keep opening sockets, but you're effectively
not listening.  It's been very effective in my experience.  To be sure,
they will keep changing sources once they realize the host is
unreachable from any particular source. If I end up blocking TOR or vpn
users that are trying to do nefarious things, then so be it.  I don't
need to waste CPU cycles sending responses. fail2ban is a resource hog
as it is.

Cheers,
Curtis

--
Best Regards Curtis Maurand
mailto:[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

James Brown


On 3 Apr 2019, at 9:45 am, Curtis Maurand <[hidden email]> wrote:



On 4/2/19 5:39 PM, @lbutlr wrote:
On 2 Apr 2019, at 14:30, Esteban L <[hidden email]> wrote:
The times are in seconds, so you'll need to calculate those times.
a month is 2629743 seconds. An hour, of course is 3600, but I prefer 86400 which is one day.

BTW, pi seconds is very close to 1 nano century.


I agree with @ibutr that 86400 is a good number. Now to find the where to change the iptables rule to "-j DROP"

I like to just silently drop the connection. It becomes a sort of reverse DOS in that they keep opening sockets, but you're effectively not listening.  It's been very effective in my experience.  To be sure, they will keep changing sources once they realize the host is unreachable from any particular source. If I end up blocking TOR or vpn users that are trying to do nefarious things, then so be it.  I don't need to waste CPU cycles sending responses. fail2ban is a resource hog as it is.

Cheers,
Curtis

Thanks all for your replies. Increasing both Ban time and Find time are good and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP failures, but over long times (eg maybe once or twice a day max).

We have Stunnel receive the traffic on port 465 and 587 and forward on to 127.0.0.1 on port 25. So that is why I can’t write a Fail2ban rule for this log line:

auth-worker(42777): Info: sql([hidden email],127.0.0.1): unknown user (given password: Password123)

as it would ban localhost, not the original IP that Stunnel received.

Thanks,

James.
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Bill Cole-3
In reply to this post by Drexl Spivey
On 2 Apr 2019, at 8:10, James Brown wrote:

> Thanks Esteban. I have fail2ban installed. Unfortunately each attempt
> comes from a different IP (botnet I presume). I’m finding this all
> the time now, so fail2ban seems to be no longer much use.
>
> Was just hoping there was a Postfix or Dovecot setting I could use to
> ignore these submission attempts.

While fail2ban with its stock config isn't going to help much, the
approach Michael suggested can work.

I use a more draconian but slower approach, with a custom log watcher
that immediately blocks any IP from touching relevant ports (110, 143,
465, 587, 993, and 995) if it fails an auth attempt in any /16 that has
not had a successful authentication in the past week. Those firewall
rules eventually age out if not hit. Once a week, I manually use those
automated rules to identify ranges at the RIR allocation block or
visible route level that will almost surely never legitimately attempt
mail auth on my system and ban them from those ports permanently. I also
have a simple web mechanism for users to punch an opening for their
current IP.

That is a reasonable fit for a small mail system. I don't think it would
be feasible with a large set of users, particularly heavy travelers or
people who frequently change devices (i.e. prone to auth failures from
unfamiliar networks) and who are mystified by the "URL knocking" trick.
When I first started this, the weekly triage & escalation was a
substantial chunk of work but after a year of adding new ranges as they
appear, I now have only a handful of probes per week to check out and
often no new larger blocks to shun.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Bill Cole-3
In reply to this post by James Brown
On 2 Apr 2019, at 23:14, James Brown wrote:

> We have Stunnel receive the traffic on port 465 and 587 and forward on
> to 127.0.0.1 on port 25.

That seems odd. Why?

The whole point of having submission channels distinct from port 25 SMTP
is to allow you to put different restrictions on inbound and outbound
traffic. If they are just forwarded to port 25 looking like the
loopback, you lose that capacity for nuanced access control and lose
your ability to conform to the submission standard on submission ports.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Matus UHLAR - fantomas
In reply to this post by James Brown
On 03.04.19 14:14, James Brown wrote:
>Thanks all for your replies. Increasing both Ban time and Find time are good and I’ll do that. Looking through the logs I can see some repeated IPs for IMAP failures, but over long times (eg maybe once or twice a day max).
>
>We have Stunnel receive the traffic on port 465 and 587 and forward on to
> 127.0.0.1 on port 25.

time to change this.

1. different ports are for different access rules, ports 465 and 587 should
NOT accept unauthenticated mail.
2. port 587 is plaintest, should be required STARTTLS, afaik stunnel does
not support this

3. postfix can do those much better than stunnel.

>  So that is why I can’t write a Fail2ban rule for
> this log line:
>
>auth-worker(42777): Info: sql([hidden email] <mailto:[hidden email]>,127.0.0.1): unknown user (given password: Password123)
>
>as it would ban localhost, not the original IP that Stunnel received.

4. postfix would not try to ban localhost.

just remove that stunnel.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Andrey Repin-2
In reply to this post by Drexl Spivey
Greetings, Esteban L!

> You will need to install fail2ban to ip block failed attempts.

> As you have correctly assumed, a malicious person is trying to hack into you mail server.

> Fail2ban is a required application now and days.

That's hardly true.

I haven't found a use for fail2ban in last ten years. Anything it could do,
there's more direct tools for the same purpose available.

I.e. postfix's anvil daemon, for a given use case.


--
With best regards,
Andrey Repin
Thursday, April 4, 2019 22:04:17

Sorry for my terrible english...

Reply | Threaded
Open this post in threaded view
|

Re: Authentication attempts for xxx@com.au addresses

Drexl Spivey
Hello Andrey,

You've piqued my interest now :-)

I have used fail2ban for many things, dovecot, postfix-auth, ssh (moot, after I changed the port), roundcube, etc.

What are other tools you would recommend? I have seen the postfix anvil daemon at work in the background.

I have gotten used to using fail2ban, and it seems to do the job, but if there is something better, I would like to check it out :-)

On April 4, 2019 8:07:09 PM GMT+01:00, Andrey Repin <[hidden email]> wrote:
Greetings, Esteban L!

You will need to install fail2ban to ip block failed attempts.

As you have correctly assumed, a malicious person is trying to hack into you mail server.

Fail2ban is a required application now and days.

That's hardly true.

I haven't found a use for fail2ban in last ten years. Anything it could do,
there's more direct tools for the same purpose available.

I.e. postfix's anvil daemon, for a given use case.


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.