Swamped by User / Password Guessing Scripts
-
We are absolutely swamped by hacking attempts to guess user id and passwords.
Mar 4 10:14:12 kopano kopano-gateway[28665]: HrLogon server "http://localhost:236/" user "thirteen": logon failed
Normally I would be able to create a fail2ban rule to ban these requests but they are all coming in on localhost and it’s therefore impossible to get their IP address and ban them.
Is there a solution for this ??
-
What ports/services do you have exposed to the Internet?
Is it possible someone is doing reverse port forwarding through SSH?
You use a router, right? Could you gain logs details of which IP addresses are able to communicate with your server?
How the hell could someone reach out to your localhost?! Process of elimination. Inspect all services you expose publicly, and which services is being used on your system. I never expose port 236.
Change all your credentials, keep a close eye to your logs.
Also, once you sort out fail2ban, maybe a router on pfsense could help you do geolocation blocking, for certain ports, as a way to prevent future problems.
-
@junglemarc - Thanks, SSH port is not exposed, but why is the gateway even listening on localhost ?
-
@crankshaft - OK, I just closed off all ports and these connections are coming through port 25.
I have closed all ports, and only opened 25 and as soon as I open the port, these login attempts resume.
It seems that the connection is initiated through postfix.
-
@crankshaft said in Swamped by User / Password Guessing Scripts:
t seems that the connection is initiated through postfix.
Setup postscreen in postfix… that will stop 90%+ of these messages…
I’ll give you and example of what i run.### Before-220 tests (postscreen / DNSBL) postscreen_tls_security_level=encrypt postscreen_greet_banner = $myhostname, checking blacklists, please wait. postscreen_greet_action = enforce postscreen_greet_wait = 5s postscreen_greet_ttl = 2d postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/personal/postscreen_access_list.cidr, postscreen_whitelist_interfaces = $mynetworks, static:all postscreen_blacklist_action = drop postscreen_dnsbl_reply_map = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_action = enforce postscreen_dnsbl_ttl = 2h postscreen_dnsbl_threshold = 7 postscreen_dnsbl_sites = zen.spamhaus.org*5 b.barracudacentral.org=127.0.0.2*2 dnsbl.cobion.com*2 bl.spameatingmonkey.net*2 fresh.spameatingmonkey.net*2 rhsbl.rbl.polspam.pl=127.0.0.1*2 rbl.rbldns.ru=127.0.0.1*1 bl.0spam.org*1 wl.0spam.org dnsbl.kempt.net*1 dnsbl.inps.de*2 bl.spamcop.net*2 spam.dnsbl.sorbs.net=127.0.0.6*2 problems.sorbs.net=127.0.0.6*2 new.spam.sorbs.net=127.0.0.6*2 psbl.surriel.com*2 bl.mailspike.net*2 rep.mailspike.net=127.0.0.[13;14]*1 bl.suomispam.net*1 bl.blocklist.de*2 ix.dnsbl.manitu.net*2 dnsbl-1.uceprotect.net*1 dnsbl-2.uceprotect.net*1 dnsbl.justspam.org=127.0.0.2*2 multi.surbl.org*2 black.junkemailfilter.com=127.0.0.2*2 rbl.metunet.com=127.0.0.2*2 all.s5h.net=127.0.0.2*1 hostkarma.junkemailfilter.com=127.0.0.[2;4]*2 rbl.abuse.ro=127.0.0.[2;4]*2 gl.suomispam.net=127.0.0.2*1 truncate.gbudb.net=127.0.0.2*1 dnsbl.zapbl.net=127.0.0.2*1 spamsources.fabel.dk=127.0.0.2*1 rbl.interserver.net=127.0.0.2*2 dnsbl.spfbl.net=127.0.0.[2;4]*2 dnsbl-3.uceprotect.net=127.0.0.2*2 rhsbl-h.rbl.polspam.pl=127.0.0.2*2 black.dnsbl.brukalai.lt=127.0.0.2*2 # No RDNS dnsbl.spfbl.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.0.3*1 # whitelists wl.0spam.org*-3 swl.spamhaus.org*-6 dnswl.spfbl.net=127.0.0.[2;3;4]*-3 list.dnswl.org=127.0.[0..254].[0..3]*-4 rep.mailspike.net=127.0.0.[17;18]*-1 rep.mailspike.net=127.0.0.[19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-4 nobl.junkemailfilter.com=127.0.0.5*-4 # ### End of before-220 tests ### After-220 tests ### WARNING -- See "Tests after the 220 SMTP server greeting" in the ### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the ### following tests! This basically enables some kind of greylisting! #postscreen_bare_newline_action = enforce #postscreen_bare_newline_enable = yes #postscreen_non_smtp_command_enable = yes #postscreen_pipelining_enable = yes ### ADDENDUM: Any one of the foregoing three *_enable settings may cause ### significant and annoying mail delays.
/etc/postfix/personal/postscreen_access_list.cidr ############################################# # Postscreen allow lists in CIDR format. ############################################# ## SMTP Test servers 74.115.12.0/24 permit 89.185.38.0/24 permit # https://www.htbridge.com/ssl/ 70.38.125.0/24 permit # ssl-tools.net 185.55.116.145 permit # cryptcheck.imirhil.fr 163.172.46.173 permit 163.172.218.10 permit 163.172.141.88 permit # email securitygrader.com 192.69.1.114 permit 207.115.110.69 permit # immuniweb.com tests 192.175.111.224/27 permit 64.15.129.96/27 permit 70.38.27.240/28 permit 72.55.136.144/28 permit 72.55.136.192/28 permit 79.141.85.24/29 permit #############################################
/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre # We will be rejecting much mail which is listed in multiple DNSBLs. # We're not proud of some of the lists we are using, thus have given # them lower scores in postscreen_dnsbl_sites listing. So this checks # the DNSBL name postscreen(8) gets from dnsblog(8), and if it's not # one of our Tier 1 DNSBL sites, it changes what the sender will see: # ## ## Changed to fake name, so all get "multiple dns-base blocklists." !/^fakename\.spamhaus\.org$/ multiple DNS-based blocklists, please check http://multirbl.valli.org/
-
OK, I found it starts when I enable this:
# https://wiki.zarafa.com/index.php/SMTP-Auth_for_IMAP_users smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd
-
@crankshaft said in Swamped by User / Password Guessing Scripts:
Thats more easy, enable in fail2ban postfix-sasl should stop it also.
-
I still don’t understand why the gateway is listening on localhost:236 !
Do you know if this is this the normal setup and if not how can I change it ?
I commented out this:
# smtpd_sasl_auth_enable = yes # smtpd_sasl_path = smtpd
And restarted postix but I am still getting:
Mar 5 17:05:40 kopano kopano-gateway[795]: HrLogon server "http://localhost:236/" user "350@com.sg": logon failed Mar 5 17:05:40 kopano kopano-gateway[795]: Failed to login from [[::ffff:127.0.0.1]:36652] with invalid username "350@com.sg" or wrong password: logon failed (80040111) Mar 5 17:05:41 kopano postfix/submission/smtpd[14574]: warning: unknown[5.34.207.28]: SASL LOGIN authentication failed: authentication failure Mar 5 17:05:41 kopano kopano-gateway[795]: HrProcessCommand threw KMAPIError: network error. (errno=Broken pipe) Mar 5 17:05:42 kopano postfix/submission/smtpd[14574]: disconnect from unknown[5.34.207.28] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
-
I think you want to keep sasl auth enabled, you don’t want to let anyone the ability to use the smtp service, only the client machines with proper login/pass
You also have the ability to block ip addresses out of the firewall of the distro you are on.
Here’s a tutorial for fail2ban on postfix
https://importgeek.wordpress.com/2017/01/15/fail2ban-prevent-postfix-brute-force/
Also it is normal for kopano-gateway to listen to ports on the localhost, it is good you are working your way up on identifying the ip addresses attempting to connect.
But this is good you are making progress - you can identify the IP addresses trying to connect. For sure fail2ban is a good way to fix this.
-
OK, I found that fail2ban was crashing and blocking & unblocking every 10 minutes and ignoring the bantimes that I had set.
I was unable to find the cause of the crash:
ERROR NOK: ("invalid literal for int() with base 10: 'None'",)
Googling it suggested that it was caused by additional spaces between the
variable = value
but even after going thru the jail.local I could not find the problem.So I uninstalled the default repo version and installed the latest from the github repo and things are sooo much better now.
-
@crankshaft said:
I still don’t understand why the gateway is listening on localhost:236 !
This isn’t the gateway port, it’s the kopano-server listening port 236 which authenticates SMTP user credentials. The gateway connects to kopano-server service listening on a localhost port 236 (HrLogon server). That’s why log says it’s from a localhost.
Do you really need POP3/IMAP access to your server? I usually disable SMTP authentication on internet facing servers and users connect only through HTTPS (TLS) via Webapp and ActiveSync. Authentication with client certificates are mandatory for both - installed on mobile devices and desktops. Pretty safe configuration…
regards,
MaPo -
@mapo - Thanks - IMAP is the default for us, we all use Thunderbird IMAP, the webapp was enabled (I just disabled it) but Thunderbird is preferred due to the ability to have multiple email accounts, identities etc etc