Denial of Service Attack from localhost 127.0.0.1 depleting server resources

eugene.vdm

Good morning,

Our server is being attacked every second but via localhost. Please let me know how I can mitigate these attacks because eventually the server runs out of resources and Kopano stops working.

Here is a sample of the log. Note, all attackers IP localhost so I don’t even know where to start:

bsinc:~ # tail -f /var/log/kopano/gateway.log
2020-12-05T09:12:54.765065: [kopano-gateway|T26389] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:56.072202: [kopano-gateway|T26390] [error ] HrLogon server “http://localhost:236/” user “wraw@co.za”: logon failed
2020-12-05T09:12:56.072319: [kopano-gateway|T26390] [warning] Failed to login from [127.0.0.1:60154] with invalid username “wraw@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:56.072630: [kopano-gateway|T26390] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:56.947408: [kopano-gateway|T26391] [error ] HrLogon server “http://localhost:236/” user “diasuite@co.za”: logon failed
2020-12-05T09:12:56.949063: [kopano-gateway|T26391] [warning] Failed to login from [127.0.0.1:60162] with invalid username “diasuite@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:56.949609: [kopano-gateway|T26391] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:58.129257: [kopano-gateway|T26392] [error ] HrLogon server “http://localhost:236/” user “publicsuffix@co.za”: logon failed
2020-12-05T09:12:58.129473: [kopano-gateway|T26392] [warning] Failed to login from [127.0.0.1:60170] with invalid username “publicsuffix@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:58.130270: [kopano-gateway|T26392] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:13:02.328775: [kopano-gateway|T26395] [error ] HrLogon server “http://localhost:236/” user “mue@co.za”: logon failed
2020-12-05T09:13:02.328964: [kopano-gateway|T26395] [warning] Failed to login from [127.0.0.1:60212] with invalid username “mue@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:13:02.329721: [kopano-gateway|T26395] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:13:04.127366: [kopano-gateway|T26396] [error ] HrLogon server “http://localhost:236/” user “ajaxJavascriptError@co.za”: logon failed

longsleep

@eugene-vdm - Looks like someone is dos’in your kopano gateway. So put firewall rules in place for external connections to imap, imaps, pop3, pop3s whichever you have enabled.

eugene.vdm

@longsleep Thanks very much. Further digging appeared to show proxies on port 8080 which seemed impossible to close. But then we installed Fail2ban and now the problem is gone.

thctlo

@eugene-vdm

enable this if its possible.

# Source:
# https://www.howtoforge.com/tutorial/httpoxy-protect-your-server/
# a2enmod headers
<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>