Dictionary attacks

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Dictionary attacks

John Schmerold
What is the best way to protect against dictionary attacks in Postfix?

Exim has a rcpt_fail_count variable I use to drop connections with the
attacker:
   drop  condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
     log_message    = Dictionary Attack Rejected (Began blocking after
$rcpt_fail_count recipients failed). Ratelimit incremented.
     ratelimit      = 0 / 2h / strict / per_conn
     message        = Number of failed recipients exceeded.  Come back
in a few hours.

I am switching from Exim to Postfix and looking for a mechanism to block
these attacks.

--
John Schmerold
Katy Computer Systems, Inc
https://katycomputer.com
St Louis

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Wietse Venema
John Schmerold:
> What is the best way to protect against dictionary attacks in Postfix?
 
Reportedly, fail2ban (no first-hand experience, because I have no
SASL clients).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

allenc


On 03/11/2019 02:42, Wietse Venema wrote:
> John Schmerold:
>> What is the best way to protect against dictionary attacks in Postfix?
>  
> Reportedly, fail2ban (no first-hand experience, because I have no
> SASL clients).
>
> Wietse
>

I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen.

Another mailling list suggests an ACL based on IP netblocks, to define a
"service area" where incoming AUTH connections are permitted.

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:
> John Schmerold:
> > What is the best way to protect against dictionary attacks in Postfix?
>  
> Reportedly, fail2ban (no first-hand experience, because I have no
> SASL clients).

Also, Postfix can rate-limit auth commands, on the assumption that
good users don't make lots of repeated login attempts.

        Wietse

htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit

smtpd_client_auth_rate_limit (default: 0)
    The maximal number of AUTH commands that any client is allowed
    to send to this service per time unit, regardless of whether
    or not Postfix actually accepts those commands. The time unit
    is specified with the anvil_rate_time_unit configuration
    parameter.

    By default, there is no limit on the number AUTH commands that
    a client may send.

    To disable this feature, specify a limit of 0.

    WARNING: The purpose of this feature is to limit abuse. It must
    not be used to regulate legitimate mail traffic.

    This feature is available in Postfix 3.1 and later.
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

@lbutlr
On 03 Nov 2019, at 06:06, Wietse Venema <[hidden email]> wrote:

> Wietse Venema:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>>
>> Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>
> Also, Postfix can rate-limit auth commands, on the assumption that
> good users don't make lots of repeated login attempts.
>
> Wietse
>
> htp://www.postfix.org/postconf.5.html#smtpd_client_auth_rate_limit
>
> smtpd_client_auth_rate_limit (default: 0)
>    The maximal number of AUTH commands that any client is allowed
>    to send to this service per time unit, regardless of whether
>    or not Postfix actually accepts those commands. The time unit
>    is specified with the anvil_rate_time_unit configuration
>    parameter.

That defaults to 60s so setting this to 3 would rate limit to three attempts per minute. That’s good to know.

That might be useful, though I am not sure I am seeing very fast auth attempts.

Still, it certainly can’t hurt.


Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

John Schmerold
In reply to this post by Wietse Venema
On 11/2/2019 9:42 PM, Wietse Venema wrote:
> John Schmerold:
>> What is the best way to protect against dictionary attacks in Postfix?
>  
> Reportedly, fail2ban (no first-hand experience, because I have no
> SASL clients).
>
> Wietse

I am using Postfix as a filter in front of O365/cpanel/Google apps, we
are seeing a few dictionary attacks, I will experiment with fail2ban.

One site (Mergy.org), recommends adding this to
/etc/fail2ban/filters.d/postfix:
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4.1.1 .*
Recipient address rejected: unverified address: unknown user:.*$

We'll see how it goes.

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Phil Stracchino
In reply to this post by allenc
On 2019-11-03 05:24, Allen Coates wrote:

>
>
> On 03/11/2019 02:42, Wietse Venema wrote:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>>  
>> Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>>
>> Wietse
>>
>
> I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen.

I've been thinking about setting up exactly such a thing myself.  Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just too much of a pain for such a fundamentally simple
task.  It's like trying to set up a CNC mill when all you actually want
to do is file 2mm off a strike plate.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

lists@lazygranch.com
https://www.sshguard.net/
This is a simpler alternative to fail2ban. It has hooks for postfix and dovecot. The only disadvantage is SSHGuard isn't in my repo. You have to build it.

That said, I just use it for ssh. I use Anvil settings in postfix to slow down the occasional skid. Less is more. The desired email gets through. I don't see much in the way of dictionary attacks on my postfix.





  Original Message  



From: [hidden email]
Sent: November 3, 2019 9:04 AM
To: [hidden email]
Subject: Re: Dictionary attacks


On 2019-11-03 05:24, Allen Coates wrote:

>
>
> On 03/11/2019 02:42, Wietse Venema wrote:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>> 
>> Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>>
>> Wietse
>>
>
> I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen.

I've been thinking about setting up exactly such a thing myself.  Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just too much of a pain for such a fundamentally simple
task.  It's like trying to set up a CNC mill when all you actually want
to do is file 2mm off a strike plate.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Charles Sprickman
In reply to this post by Phil Stracchino

> On Nov 3, 2019, at 12:04 PM, Phil Stracchino <[hidden email]> wrote:
>
> On 2019-11-03 05:24, Allen Coates wrote:
>>
>>
>> On 03/11/2019 02:42, Wietse Venema wrote:
>>> John Schmerold:
>>>> What is the best way to protect against dictionary attacks in Postfix?
>>>
>>> Reportedly, fail2ban (no first-hand experience, because I have no
>>> SASL clients).
>>>
>>> Wietse
>>>
>>
>> I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen.
>
> I've been thinking about setting up exactly such a thing myself.  Trying
> to figure out how to make fail2ban talk to a Shorewall firewall on a
> different box is just too much of a pain for such a fundamentally simple
> task.  It's like trying to set up a CNC mill when all you actually want
> to do is file 2mm off a strike plate.

Yes.

And recently there was a change that broke old rules (this was for pf, not sure about other firewalls), and it was annoying. I also find the memory use kind of ludicrous for small/VPS hosts - 150MB for a table of banned IPs? Also it was more than happy to start with a good exit code when it failed to manipulate the firewall, which kind of scared the bejesus out of me and sent me investigating a pile of servers to see if that was happening elsewhere.

I wish there were more alternatives out there, although the maintenance burden of dealing with arbitrary logfile changes is probably a pain.

It’s crazy how the open source world has gone from railing against the Microsoft monoculture issue to creating their own (unintentionally but still…).

Charles

>
>
> --
>  Phil Stracchino
>  Babylon Communications
>  [hidden email]
>  [hidden email]
>  Landline: +1.603.293.8485
>  Mobile:   +1.603.998.6958

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Bernardo Reino
In reply to this post by Phil Stracchino
On Sun, 3 Nov 2019, Phil Stracchino wrote:

> On 2019-11-03 05:24, Allen Coates wrote:
>>
>>
>> On 03/11/2019 02:42, Wietse Venema wrote:
>>> John Schmerold:
>>>> What is the best way to protect against dictionary attacks in Postfix?
>>>
>>> Reportedly, fail2ban (no first-hand experience, because I have no
>>> SASL clients).
>>>
>>> Wietse
>>>
>>
>> I run a home-brewed fail2ban look-alike; I find it almost as useful as postscreen.
>
> I've been thinking about setting up exactly such a thing myself.  Trying
> to figure out how to make fail2ban talk to a Shorewall firewall on a
> different box is just too much of a pain for such a fundamentally simple
> task.  It's like trying to set up a CNC mill when all you actually want
> to do is file 2mm off a strike plate.

If you can do it locally, you can do it remotely (via ssh), like:

ssh remote-box whatever_local_shorewall_command

with fail2ban it's very easy to add customized actions for block/unblock.

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Bernardo Reino
In reply to this post by John Schmerold
On Sun, 3 Nov 2019, John Schmerold wrote:

> On 11/2/2019 9:42 PM, Wietse Venema wrote:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>>   Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>>
>> Wietse
>
> I am using Postfix as a filter in front of O365/cpanel/Google apps, we are
> seeing a few dictionary attacks, I will experiment with fail2ban.
>
> One site (Mergy.org), recommends adding this to
> /etc/fail2ban/filters.d/postfix:
> ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4.1.1 .*
> Recipient address rejected: unverified address: unknown user:.*$
>
> We'll see how it goes.

fail2ban includes (at least in debian buster) a suitable rule in
postfix-sasl.conf, viz.:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL
((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[
A-Za-z0-9+/:]
*={0,2})?\s*$

(all in one line).

It works fine to block random bots trying to authenticate as a user
(whether the user exists or not).

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Phil Stracchino
In reply to this post by Bernardo Reino
On 2019-11-03 14:21, Bernardo Reino wrote:

> On Sun, 3 Nov 2019, Phil Stracchino wrote:
>> I've been thinking about setting up exactly such a thing myself.  Trying
>> to figure out how to make fail2ban talk to a Shorewall firewall on a
>> different box is just too much of a pain for such a fundamentally simple
>> task.  It's like trying to set up a CNC mill when all you actually want
>> to do is file 2mm off a strike plate.
>
> If you can do it locally, you can do it remotely (via ssh), like:
>
> ssh remote-box whatever_local_shorewall_command

I assumed that was the approach to use, but I found fail2ban's
configuration and documentation opaque and confusing, and couldn't find
a good how-to that explained how to set it up.  It was enough of a
headache that I decided my time was probably better spent building
something simple and lightweight purpose-built to do exactly what I want
it to than in trying to figure out the right subset of many complex
configuration options for a tool designed to do a whole lot of things I
don't actually need it to do.



--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

@lbutlr
In reply to this post by lists@lazygranch.com
On 03 Nov 2019, at 11:03, lists <[hidden email]> wrote:
> https://www.sshguard.net/
> This is a simpler alternative to fail2ban. It has hooks for postfix and dovecot.

Yep, that’s what I use. It doesn’t have all the options of Fail2Ban, but that’s fine, it does what I need most.

(I have used fail2ban also)

> The only disadvantage is SSHGuard isn't in my repo. You have to build it.
>
> That said, I just use it for ssh. I use Anvil settings in postfix to slow down the occasional skid. Less is more. The desired email gets through. I don't see much in the way of dictionary attacks on my postfix.

Lots of failed logins get banned. That’s fine with me.




--
Well there are certain sections of New York, Major, that I wouldn't
advise you to try to invade

Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Bernardo Reino
In reply to this post by Phil Stracchino
On Sun, 3 Nov 2019, Phil Stracchino wrote:

> On 2019-11-03 14:21, Bernardo Reino wrote:
>> On Sun, 3 Nov 2019, Phil Stracchino wrote:
>>> I've been thinking about setting up exactly such a thing myself.  Trying
>>> to figure out how to make fail2ban talk to a Shorewall firewall on a
>>> different box is just too much of a pain for such a fundamentally simple
>>> task.  It's like trying to set up a CNC mill when all you actually want
>>> to do is file 2mm off a strike plate.
>>
>> If you can do it locally, you can do it remotely (via ssh), like:
>>
>> ssh remote-box whatever_local_shorewall_command
>
> I assumed that was the approach to use, but I found fail2ban's
> configuration and documentation opaque and confusing, and couldn't find
> a good how-to that explained how to set it up.  It was enough of a
> headache that I decided my time was probably better spent building
> something simple and lightweight purpose-built to do exactly what I want
> it to than in trying to figure out the right subset of many complex
> configuration options for a tool designed to do a whole lot of things I
> don't actually need it to do.

You can create a custom action like:
$ cat /etc/fail2ban/action.d/local_action.conf
[Definition]
actionban   = /usr/local/sbin/fail2ban_action.sh add <ip>
actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
actioncheck =
actionstart =
actionstop =

[Init]
$

(exactly as is, the "<ip>" will then be replaced by fail2ban with the IP
to be blocked/unblocked).

Then in /usr/local/sbin/fail2ban_action.sh you write whatever you need to
add or delete an IP from the filter.

In my case it is:

$ cat /usr/local/sbin/fail2ban_action.sh
#!/bin/sh

# nftables, set = fail2ban
nft $1 element inet filter fail2ban { $2 } 2>&1

exit 0
$

If the firewall were remote instead of local, I would just change the
nft invocation to "ssh firewall nft ..."

Once set, you only need to adapt your /etc/fail2ban/jail.local to use

--
banaction = local_action
--
(or whatever name you choose for the action .conf file)

and of course, if not done already, enable the [sasl] module, like:

--
[sasl]
enabled   = true
port      = smtp,smtps,submission
filter    = postfix-sasl
logpath   = /var/log/mail.log
--

Hope that helps!
Good luck.
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Phil Stracchino
On 2019-11-04 03:32, Bernardo Reino wrote:

> You can create a custom action like:
> $ cat /etc/fail2ban/action.d/local_action.conf
> [Definition]
> actionban   = /usr/local/sbin/fail2ban_action.sh add <ip>
> actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
> actioncheck =
> actionstart =
> actionstop =
>
> [Init]
> $
>
> (exactly as is, the "<ip>" will then be replaced by fail2ban with the IP
> to be blocked/unblocked).
>
> Then in /usr/local/sbin/fail2ban_action.sh you write whatever you need to
> add or delete an IP from the filter.
>
> In my case it is:
>
> $ cat /usr/local/sbin/fail2ban_action.sh
> #!/bin/sh
>
> # nftables, set = fail2ban
> nft $1 element inet filter fail2ban { $2 } 2>&1
>
> exit 0
> $
>
> If the firewall were remote instead of local, I would just change the
> nft invocation to "ssh firewall nft ..."
>
> Once set, you only need to adapt your /etc/fail2ban/jail.local to use
>
> --
> banaction = local_action
> --
> (or whatever name you choose for the action .conf file)
>
> and of course, if not done already, enable the [sasl] module, like:
>
> --
> [sasl]
> enabled   = true
> port      = smtp,smtps,submission
> filter    = postfix-sasl
> logpath   = /var/log/mail.log
> --
>
> Hope that helps!
> Good luck.
>


Thanks for the mini-howto, Bernardo!  I'll give it another try.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Dictionary attacks

Olivier Nicole-2
In reply to this post by John Schmerold
Matus UHLAR - fantomas <[hidden email]> writes:

> I'm afraid it won't even help much - seems that dictionary attacks work much
> slower.

Not all of them are slow:

Nov  5 06:19:35 mail postfix/smtpd[28906]: warning: AUTH command rate limit exceeded: 4 from unknown[106.58.210.27] for service smtp
Nov  5 06:19:36 mail postfix/smtpd[29057]: warning: AUTH command rate limit exceeded: 5 from unknown[106.58.210.27] for service smtp
Nov  5 06:24:50 mail postfix/smtpd[29584]: warning: AUTH command rate limit exceeded: 4 from unknown[45.82.153.76] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29931]: warning: AUTH command rate limit exceeded: 4 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29932]: warning: AUTH command rate limit exceeded: 5 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29933]: warning: AUTH command rate limit exceeded: 6 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29929]: warning: AUTH command rate limit exceeded: 7 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29930]: warning: AUTH command rate limit exceeded: 8 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29934]: warning: AUTH command rate limit exceeded: 9 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:34 mail postfix/smtpd[29935]: warning: AUTH command rate limit exceeded: 10 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:38 mail postfix/smtpd[29933]: warning: AUTH command rate limit exceeded: 11 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:38 mail postfix/smtpd[29932]: warning: AUTH command rate limit exceeded: 12 from unknown[141.98.80.102] for service smtps
Nov  5 06:31:39 mail postfix/smtpd[29931]: warning: AUTH command rate limit exceeded: 13 from unknown[141.98.80.102] for service smtps


Best regards,

Olivier


--