lots of connections that make no sense

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

lots of connections that make no sense

Fourhundred Thecat
Hello,

I am wondering what is the purpose of connections like these:

  postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
  postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1
auth=0/1 rset=1 quit=1 commands=3/4

I have lots of these in my logs, from different IP addresses.

What is the goal of these agents ? I mean, they don't try to do
anything. They don't try to deliver spam, they don't try to use my
postfix as relay. They just connect and disconnect.

What are they after ?

I am just curious.

Also, judging by the fact that IP does not resolve to hostname, I assume
these are not mail servers. Are these just some bots that are scanning
the Internet for mailservers ?

thanks,
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Fourhundred Thecat
On 15/11/2019 05.06, Jeffrey 'jf' Lim wrote:

> On Fri, Nov 15, 2019 at 11:49 AM Fourhundred Thecat <[hidden email]> wrote:
>>
>> Also, judging by the fact that IP does not resolve to hostname, I assume
>> these are not mail servers. Are these just some bots that are scanning
>> the Internet for mailservers ?
>>
>
> Indeed. I would imagine that's what they're doing. Some bots scan, and
> then other servers deliver.
>
> Don't forget: the moment you connect, you start giving out information
> ("220 $smtpd_banner"), while they, OTOH, dont.

But some of the bots connect repeatedly, with high frequency, ie every
minute.

Are they just misconfigured? I would assume, once they discovered that
my IP is indeed a mail server, the would move on to next IP address.

why do they continue to scan the same IP another ten thousand times ?



Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Viktor Dukhovni
In reply to this post by Fourhundred Thecat
On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:

> I am wondering what is the purpose of connections like these:
>
>   postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
>   postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

They send EHLO, a failed AUTH attempt, then RSET and QUIT.

> I have lots of these in my logs, from different IP addresses.
>
> What is the goal of these agents?

They're testing for weak passwords, either a whitehat or blackhat
scan SASL vulnerability scan.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Jeffrey 'jf' Lim
On Fri, Nov 15, 2019 at 12:52 PM Viktor Dukhovni
<[hidden email]> wrote:

>
> On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
>
> > I am wondering what is the purpose of connections like these:
> >
> >   postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
> >   postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
>
> They send EHLO, a failed AUTH attempt, then RSET and QUIT.
>

good grief!! Thanks for noticing!


> > I have lots of these in my logs, from different IP addresses.
> >
> > What is the goal of these agents?
>
> They're testing for weak passwords, either a whitehat or blackhat
> scan SASL vulnerability scan.
>

ok then this makes sense. I've seen bots retry multiple passwords at
one go in the past; Fourhundred are all of these "auth=0/1"?

-jf
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Fourhundred Thecat
On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
>
> ok then this makes sense. I've seen bots retry multiple passwords at
> one go in the past; Fourhundred are all of these "auth=0/1"?

yes, all are "auth=0/1".

I have disabled auth on port 25, and I am using non-standard port for
client authentication.

Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Fourhundred Thecat
In reply to this post by Viktor Dukhovni
On 15/11/2019 05.51, Viktor Dukhovni wrote:

> On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
>
>> I am wondering what is the purpose of connections like these:
>>
>>   postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
>>   postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
>
> They send EHLO, a failed AUTH attempt, then RSET and QUIT.
>
>> I have lots of these in my logs, from different IP addresses.
>>
>> What is the goal of these agents?
>
> They're testing for weak passwords, either a whitehat or blackhat
> scan SASL vulnerability scan.

Thank you Viktor. Now it makes sense.

Why don't I see in the logs, that auth was attempted and failed?

Would I have to increase the verbosity to see that ?


Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Dominic Raferd


On Fri, 15 Nov 2019 at 05:26, Fourhundred Thecat <[hidden email]> wrote:
On 15/11/2019 05.51, Viktor Dukhovni wrote:
> On Fri, Nov 15, 2019 at 04:47:55AM +0100, Fourhundred Thecat wrote:
>
>> I am wondering what is the purpose of connections like these:
>>
>>   postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
>>   postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
>
> They send EHLO, a failed AUTH attempt, then RSET and QUIT.
>
>> I have lots of these in my logs, from different IP addresses.
>>
>> What is the goal of these agents?
>
> They're testing for weak passwords, either a whitehat or blackhat
> scan SASL vulnerability scan.

Thank you Viktor. Now it makes sense.

Why don't I see in the logs, that auth was attempted and failed?

Would I have to increase the verbosity to see that ?

If you want to block these types of attempts, you could use fail2ban with my jail postfix-failedauth: https://github.com/fail2ban/fail2ban/issues/2200
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Jaroslaw Rafa
In reply to this post by Viktor Dukhovni
Dnia 14.11.2019 o godz. 23:51:05 Viktor Dukhovni pisze:
> > I am wondering what is the purpose of connections like these:
> >
> >   postfix/smtpd[5147]:  connect from unknown[193.56.28.121]
> >   postfix/smtpd[5147]:  disconnect from unknown[193.56.28.121] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
>
> They send EHLO, a failed AUTH attempt, then RSET and QUIT.

Is this some new style of logging failed AUTH attempts?

In my case, these attempts look like this (I haven't changed any logging
config, left everything at default):

Nov 15 09:22:33 rafa postfix/smtpd[18954]: connect from unknown[222.103.192.93]
Nov 15 09:22:37 rafa dovecot: auth-worker(18956): pam(xxxx@yyyy,222.103.192.93): pam_authenticate() failed: Authentication failure (password mismatch?)
Nov 15 09:22:39 rafa postfix/smtpd[18954]: warning: unknown[222.103.192.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Nov 15 09:22:39 rafa postfix/smtpd[18954]: disconnect from unknown[222.103.192.93]

Of course in place of "xxxx@yyyy" there was a real e-mail address that the
attacker tried to authenticate with.

Note not only the clear message from smtpd about failed authentication, but
also a message from Dovecot authenticator that says the same.

By the way: I'm just curious, what does the string "UGFzc3dvcmQ6" in the
failed authentication message mean? I get it with every such attempt.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

allenc
In reply to this post by Fourhundred Thecat


On 15/11/2019 05:10, Fourhundred Thecat wrote:

> On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
>>
>> ok then this makes sense. I've seen bots retry multiple passwords at
>> one go in the past; Fourhundred are all of these "auth=0/1"?
>
> yes, all are "auth=0/1".
>
> I have disabled auth on port 25, and I am using non-standard port for
> client authentication.
>

Disabling auth does not stop them from trying;  I scan my logs for the string
"auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
fail2ban.

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Dominic Raferd


On Fri, 15 Nov 2019 at 10:23, Allen Coates <[hidden email]> wrote:


On 15/11/2019 05:10, Fourhundred Thecat wrote:
> On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
>>
>> ok then this makes sense. I've seen bots retry multiple passwords at
>> one go in the past; Fourhundred are all of these "auth=0/1"?
>
> yes, all are "auth=0/1".
>
> I have disabled auth on port 25, and I am using non-standard port for
> client authentication.
>

Disabling auth does not stop them from trying;  I scan my logs for the string
"auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
fail2ban.

I get cases where there is more than one unsuccessful auth attempt
# grep -a "auth=0/" /var/log/mail.log|grep -v "auth=0/1"|wc -l
39

- so I think the blocking should be based on auth=0/ not auth=0/1
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Jeffrey 'jf' Lim
In reply to this post by allenc
On Fri, Nov 15, 2019 at 6:23 PM Allen Coates <[hidden email]> wrote:

>
>
>
> On 15/11/2019 05:10, Fourhundred Thecat wrote:
> > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote:
> >>
> >> ok then this makes sense. I've seen bots retry multiple passwords at
> >> one go in the past; Fourhundred are all of these "auth=0/1"?
> >
> > yes, all are "auth=0/1".
> >
> > I have disabled auth on port 25, and I am using non-standard port for
> > client authentication.
> >
>
> Disabling auth does not stop them from trying;  I scan my logs for the string
> "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
> fail2ban.
>

It should. Unless they're the dumbest bots of all time, because you
should have stopped advertising auth in your EHLO response after
disabling.

-jf
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Wietse Venema
Jeffrey 'jf' Lim:
> > Disabling auth does not stop them from trying;  I scan my logs for the string
> > "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
> > fail2ban.
> >
>
> It should. Unless they're the dumbest bots of all time, because you
> should have stopped advertising auth in your EHLO response after
> disabling.

Some bots are stupid. My server does not announce AUTH, but that
does not stop them from trying.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

allenc


On 15/11/2019 12:33, Wietse Venema wrote:

> Jeffrey 'jf' Lim:
>>> Disabling auth does not stop them from trying;  I scan my logs for the string
>>> "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
>>> fail2ban.
>>>
>>
>> It should. Unless they're the dumbest bots of all time, because you
>> should have stopped advertising auth in your EHLO response after
>> disabling.
>
> Some bots are stupid. My server does not announce AUTH, but that
> does not stop them from trying.
>
> Wietse
>

Blacklisting miscreants (once you have spotted them) stops them from trying
other probes/attacks.

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Bill Cole-3
In reply to this post by Jeffrey 'jf' Lim
On 15 Nov 2019, at 5:28, Jeffrey 'jf' Lim wrote:

> On Fri, Nov 15, 2019 at 6:23 PM Allen Coates
> <[hidden email]> wrote:
[...]
>> Disabling auth does not stop them from trying;  I scan my logs for
>> the string
>> "auth=0/1", and add the offending IP address to a blacklist - a
>> do-it-yourself
>> fail2ban.
>>
>
> It should.

Well, yes. And yet, it doesn't.

> Unless they're the dumbest bots of all time, because you
> should have stopped advertising auth in your EHLO response after
> disabling.

I have to note that the competition for that title, because for well
over a decade the Cutwail/Pushdo bot has been making hundreds of
near-simultaneous connections to a single target, saying "EHLO ymlf-pc"
without waiting for a banner, and being rejected precisely because of
that idiosyncratic behavior by a large fraction of Sendmail, Postfix,
and CGP mail servers, as well as any others implementing greeting delays
and most using the CBL (which takes about an hour on average to notice
new members of that botnet...)

It is also worth noting that at least one MTA has made the same
assumption about appropriate client behavior, offering a switch to turn
AUTH advertisement on and off but NOT actually disabling authentication
when not advertising it.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Bill Cole-3
In reply to this post by Jaroslaw Rafa
On 15 Nov 2019, at 3:36, Jaroslaw Rafa wrote:

> By the way: I'm just curious, what does the string "UGFzc3dvcmQ6" in
> the
> failed authentication message mean? I get it with every such attempt.

$ echo "UGFzc3dvcmQ6" |base64 -D
Password:

When you see "SASL LOGIN authentication failed: UGFzc3dvcmQ6" logged by
Postfix, it indicates that an incorrect password was provided, in the
second step of the LOGIN mechanism, in response to the prompt "334
UGFzc3dvcmQ6" which is sent by the server. It is also possible for
Postfix to log "SASL LOGIN authentication failed: VXNlcm5hbWU6" which
indicates a failure at the first stage of the LOGIN mechanism.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Jaroslaw Rafa
Dnia 15.11.2019 o godz. 10:04:42 Bill Cole pisze:
>
> When you see "SASL LOGIN authentication failed: UGFzc3dvcmQ6" logged
> by Postfix, it indicates that an incorrect password was provided, in
> the second step of the LOGIN mechanism, in response to the prompt
> "334 UGFzc3dvcmQ6" which is sent by the server. It is also possible
> for Postfix to log "SASL LOGIN authentication failed: VXNlcm5hbWU6"
> which indicates a failure at the first stage of the LOGIN mechanism.

Thank you. I have searched my logs for the other string (VXNlcm5hbWU6) and
found out that it is logged when username is syntactically incorrect, ie.
contains invalid characters.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

@lbutlr
In reply to this post by allenc
On 15 Nov 2019, at 03:21, Allen Coates <[hidden email]> wrote:
> Disabling auth does not stop them from trying;  I scan my logs for the string
> "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
> fail2ban.

Seems like a good idea.

Something like this?

pfctl -t badguys -T add $(grep "auth=0/1" /var/log/mail.log | egrep -o "\[[^]]*\.[^]]*\]" | tr -d '[]’)



--
"Real stupidity beats artificial intelligence every time.”

Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Jeffrey 'jf' Lim
In reply to this post by Bill Cole-3
On Fri, 15 Nov 2019, 22:26 Bill Cole, <[hidden email]> wrote:
On 15 Nov 2019, at 5:28, Jeffrey 'jf' Lim wrote:

> On Fri, Nov 15, 2019 at 6:23 PM Allen Coates
> <[hidden email]> wrote:
[...]
>> Disabling auth does not stop them from trying;  I scan my logs for
>> the string
>> "auth=0/1", and add the offending IP address to a blacklist - a
>> do-it-yourself
>> fail2ban.
>>
>
> It should.

Well, yes. And yet, it doesn't.

> Unless they're the dumbest bots of all time, because you
> should have stopped advertising auth in your EHLO response after
> disabling.

I have to note that the competition for that title, because for well
over a decade the Cutwail/Pushdo bot has been making hundreds of
near-simultaneous connections to a single target, saying "EHLO ymlf-pc"
without waiting for a banner, and being rejected precisely because of
that idiosyncratic behavior by a large fraction of Sendmail, Postfix,
and CGP mail servers, as well as any others implementing greeting delays
and most using the CBL (which takes about an hour on average to notice
new members of that botnet...)


Wow... that greeting name brings back memories. Thanks; I never knew about the origin nor of the history!


It is also worth noting that at least one MTA has made the same
assumption about appropriate client behavior, offering a switch to turn
AUTH advertisement on and off but NOT actually disabling authentication
when not advertising it.


Wow. Do you know which MTA/s that would be? Just purely out of curiosity.

-jf

Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

Bill Cole-3
On 15 Nov 2019, at 11:16, Jeffrey 'jf' Lim wrote:

> On Fri, 15 Nov 2019, 22:26 Bill Cole, <
> [hidden email]> wrote:
[...]

>> It is also worth noting that at least one MTA has made the same
>> assumption about appropriate client behavior, offering a switch to
>> turn
>> AUTH advertisement on and off but NOT actually disabling
>> authentication
>> when not advertising it.
>>
>>
> Wow. Do you know which MTA/s that would be? Just purely out of
> curiosity.

SIMS. The Stalker one, not the Sun one of similar vintage and identical
acronym.

It is likely (but I am not sure) that CommuniGate Pro of the same period
(~2000) behaved similarly.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: lots of connections that make no sense

allenc
In reply to this post by @lbutlr


On 15/11/2019 16:15, @lbutlr wrote:

> On 15 Nov 2019, at 03:21, Allen Coates <[hidden email]> wrote:
>> Disabling auth does not stop them from trying;  I scan my logs for the string
>> "auth=0/1", and add the offending IP address to a blacklist - a do-it-yourself
>> fail2ban.
>
> Seems like a good idea.
>
> Something like this?
>
> pfctl -t badguys -T add $(grep "auth=0/1" /var/log/mail.log | egrep -o "\[[^]]*\.[^]]*\]" | tr -d '[]’)
>

I use cut statements rather than egrep - not as elegant but it isolates both
IPv4 and IPv6 addresses.

I sweep about two days' worth of logs, and offending addresses go into a
postscreen blacklist.  This is recompiled when there is something new.

Repeated postscreen disconnections (for whatever reason) escalate into an
iptables drop-list, where they stay until they stop trying to connect.

Allen C