Was the Dovecot working well?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Was the Dovecot working well?

vod vos
Hi,

when I read the mail.log, I found:


Nov 14 14:45:45 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<WEd2MD1B/Mdgfm8m>


Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<H42OMD1BZslgfm8m>


Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request


Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=<rQ6QMD1BxMpgfm8m>


Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number


Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=<3DqTMD1BKstgfm8m>


Nov 14 14:45:49 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=96.126.111.38, lip=108.61.22.11, TLS, session=<CCqyMD1BdMtgfm8m>

Was the Dovecot working well?
Are there any good solutions to forbid this kind of behavior to enhance the mail server?

thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

Sean Greenslade
On Mon, Nov 14, 2016 at 06:39:08PM -0800, vod vos wrote:

> Hi,
>
>
>
> when I read the mail.log, I found:
>
>
>
>
>
> Nov 14 14:45:45 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;WEd2MD1B/Mdgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;H42OMD1BZslgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;rQ6QMD1BxMpgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;3DqTMD1BKstgfm8m&gt;
>
>
>
> Nov 14 14:45:49 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS, session=&lt;CCqyMD1BdMtgfm8m&gt;
>
>
>
> Was the Dovecot working well?
>
> Are there any good solutions to forbid this kind of behavior to enhance the mail server?

Do you know whether these were actual login attempts? Because these
look like typical port scans that you'll see from time to time.
According to this site, that's an IP that's known for port scanning:

https://www.abuseipdb.com/check/96.126.111.38

I wouldn't worry too much about them.

--Sean

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

vod vos
so are there any configurations to auto ban this kind of visit, like postfix postscreen?

or, I should write firewall rules to do the job?


---- On 星期一, 14 十一月 2016 19:23:53 -0800Sean Greenslade <[hidden email]> wrote ----

On Mon, Nov 14, 2016 at 06:39:08PM -0800, vod vos wrote:
> Hi,
>
>
>
> when I read the mail.log, I found:
>
>
>
>
>
> Nov 14 14:45:45 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;WEd2MD1B/Mdgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=&lt;H42OMD1BZslgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;rQ6QMD1BxMpgfm8m&gt;
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
>
>
>
> Nov 14 14:45:47 mail dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS handshaking: SSL_accept() failed: Unknown error, session=&lt;3DqTMD1BKstgfm8m&gt;
>
>
>
> Nov 14 14:45:49 mail dovecot: pop3-login: Disconnected (no auth attempts in 2 secs): user=&lt;&gt;, rip=96.126.111.38, lip=108.61.22.11, TLS, session=&lt;CCqyMD1BdMtgfm8m&gt;
>
>
>
> Was the Dovecot working well?
>
> Are there any good solutions to forbid this kind of behavior to enhance the mail server?

Do you know whether these were actual login attempts? Because these
look like typical port scans that you'll see from time to time.
According to this site, that's an IP that's known for port scanning:


I wouldn't worry too much about them.

--Sean


Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

Sean Greenslade
On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote:
> so are there any configurations to auto ban this kind of visit, like postfix postscreen?
>
> or, I should write firewall rules to do the job?

I don't know if dovecot provides such functionality. I personally don't
bother, since it quickly becomes a game of whack-a-mole. Plus, it's not
always a malicious event. If the connection gets interrupted before the
client sends its auth credentials, it looks the same as this type of
scan.

Basically, make sure users are using good, secure passwords, and make
sure your software is all up to date.

--Sean

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

lists@lazygranch.com
I've run scripts on my logs regarding login attempts. Typically they try "info@" since many websites have that account. (I don't.) They seem to "snow shoe" the attacks. Usually 3 guesses then they go away. The most I had was 5. 

Considering the IP address could be shared with someone not hacking, I figured it was a waste of time to set up any intelligent blocking. (And those on this list know I am paranoid.)

Note that sshguard can parse  the postfix log‎. I do let it do that, but don't use the sshguard table to block mail ports. Again, you could be blocking someone innocent. (I certainly block 22). I figure anyone hacking mail would hack ssh.

I suppose it wouldn't hurt to block submission with that table.

  Original Message  
From: Sean Greenslade
Sent: Monday, November 14, 2016 8:40 PM
To: vod vos
Cc: postfix-users
Subject: Re: Was the Dovecot working well?

On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote:
> so are there any configurations to auto ban this kind of visit, like postfix postscreen?
>
> or, I should write firewall rules to do the job?

I don't know if dovecot provides such functionality. I personally don't
bother, since it quickly becomes a game of whack-a-mole. Plus, it's not
always a malicious event. If the connection gets interrupted before the
client sends its auth credentials, it looks the same as this type of
scan.

Basically, make sure users are using good, secure passwords, and make
sure your software is all up to date.

--Sean

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

Ron Wheeler
In reply to this post by Sean Greenslade
Fail2ban might be able to do the whack-a-mole in a sensible manner that
allowed for innocent interruptions but banned the bad guys

Ron
On 14/11/2016 11:39 PM, Sean Greenslade wrote:

> On Mon, Nov 14, 2016 at 08:21:24PM -0800, vod vos wrote:
>> so are there any configurations to auto ban this kind of visit, like postfix postscreen?
>>
>> or, I should write firewall rules to do the job?
> I don't know if dovecot provides such functionality. I personally don't
> bother, since it quickly becomes a game of whack-a-mole. Plus, it's not
> always a malicious event. If the connection gets interrupted before the
> client sends its auth credentials, it looks the same as this type of
> scan.
>
> Basically, make sure users are using good, secure passwords, and make
> sure your software is all up to date.
>
> --Sean
>
>


--
Ron Wheeler
President
Artifact Software Inc
email: [hidden email]
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

Sean Greenslade
On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:
> Fail2ban might be able to do the whack-a-mole in a sensible manner that
> allowed for innocent interruptions but banned the bad guys

For the kind of attempts I typically see, F2B won't do much. It's
usually not a brute force type of attach. Generally it's only a single
connection that either attempts to fingerprint the server (checking for
known vulns) or just tries a few "easy" passwords (e.g. root/root,
pi/raspberry).

I would suggest simple connection rate limiting and enforcing strong
passwords as a better (in my opinion) option.

--Sean

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

Ron Wheeler
On 15/11/2016 9:52 PM, Sean Greenslade wrote:
> On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:
>> Fail2ban might be able to do the whack-a-mole in a sensible manner that
>> allowed for innocent interruptions but banned the bad guys
> For the kind of attempts I typically see, F2B won't do much. It's
> usually not a brute force type of attach. Generally it's only a single
> connection that either attempts to fingerprint the server (checking for
> known vulns) or just tries a few "easy" passwords (e.g. root/root,
> pi/raspberry).
F2B is pretty flexible.
You can say that any IP that fails to login on root or pi 3 times in a
week should be banned for a month or forever if you really see a subtle
attack.
You have control of the frequency of log messages that constitute an attack.

You can look for any string in the log so you can watch for the
vulnerability probes as well as login attempts.

Ron
>
> I would suggest simple connection rate limiting and enforcing strong
> passwords as a better (in my opinion) option.
>
> --Sean
>
>


--
Ron Wheeler
President
Artifact Software Inc
email: [hidden email]
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

Reply | Threaded
Open this post in threaded view
|

Re: Was the Dovecot working well?

vod vos
I hope fail2ban default ban rule will work,

or should we add some more rules to it?


---- On 星期二, 15 十一月 2016 19:11:41 -0800Ron Wheeler <[hidden email]> wrote ----

On 15/11/2016 9:52 PM, Sean Greenslade wrote:
> On Tue, Nov 15, 2016 at 04:21:17AM -0500, Ron Wheeler wrote:
>> Fail2ban might be able to do the whack-a-mole in a sensible manner that
>> allowed for innocent interruptions but banned the bad guys
> For the kind of attempts I typically see, F2B won't do much. It's
> usually not a brute force type of attach. Generally it's only a single
> connection that either attempts to fingerprint the server (checking for
> known vulns) or just tries a few "easy" passwords (e.g. root/root,
> pi/raspberry).
F2B is pretty flexible.
You can say that any IP that fails to login on root or pi 3 times in a
week should be banned for a month or forever if you really see a subtle
attack.
You have control of the frequency of log messages that constitute an attack.

You can look for any string in the log so you can watch for the
vulnerability probes as well as login attempts.

Ron
>
> I would suggest simple connection rate limiting and enforcing strong
> passwords as a better (in my opinion) option.
>
> --Sean
>
>


--
Ron Wheeler
President
Artifact Software Inc
skype: ronaldmwheeler
phone: 866-970-2435, ext 102