Denial of Service Attack from localhost 127.0.0.1 depleting server resources
-
Good morning,
Our server is being attacked every second but via localhost. Please let me know how I can mitigate these attacks because eventually the server runs out of resources and Kopano stops working.
Here is a sample of the log. Note, all attackers IP localhost so I don’t even know where to start:
bsinc:~ # tail -f /var/log/kopano/gateway.log
2020-12-05T09:12:54.765065: [kopano-gateway|T26389] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:56.072202: [kopano-gateway|T26390] [error ] HrLogon server “http://localhost:236/” user “wraw@co.za”: logon failed
2020-12-05T09:12:56.072319: [kopano-gateway|T26390] [warning] Failed to login from [127.0.0.1:60154] with invalid username “wraw@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:56.072630: [kopano-gateway|T26390] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:56.947408: [kopano-gateway|T26391] [error ] HrLogon server “http://localhost:236/” user “diasuite@co.za”: logon failed
2020-12-05T09:12:56.949063: [kopano-gateway|T26391] [warning] Failed to login from [127.0.0.1:60162] with invalid username “diasuite@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:56.949609: [kopano-gateway|T26391] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:12:58.129257: [kopano-gateway|T26392] [error ] HrLogon server “http://localhost:236/” user “publicsuffix@co.za”: logon failed
2020-12-05T09:12:58.129473: [kopano-gateway|T26392] [warning] Failed to login from [127.0.0.1:60170] with invalid username “publicsuffix@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:12:58.130270: [kopano-gateway|T26392] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:13:02.328775: [kopano-gateway|T26395] [error ] HrLogon server “http://localhost:236/” user “mue@co.za”: logon failed
2020-12-05T09:13:02.328964: [kopano-gateway|T26395] [warning] Failed to login from [127.0.0.1:60212] with invalid username “mue@co.za” or wrong password: logon failed (80040111)
2020-12-05T09:13:02.329721: [kopano-gateway|T26395] [error ] HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe)
2020-12-05T09:13:04.127366: [kopano-gateway|T26396] [error ] HrLogon server “http://localhost:236/” user “ajaxJavascriptError@co.za”: logon failed -
@eugene-vdm - Looks like someone is dos’in your kopano gateway. So put firewall rules in place for external connections to imap, imaps, pop3, pop3s whichever you have enabled.
-
@longsleep Thanks very much. Further digging appeared to show proxies on port 8080 which seemed impossible to close. But then we installed Fail2ban and now the problem is gone.
-
enable this if its possible.
# Source: # https://www.howtoforge.com/tutorial/httpoxy-protect-your-server/ # a2enmod headers <IfModule mod_headers.c> RequestHeader unset Proxy early </IfModule>