Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    hacking attempts with spoofed IP address

    General Discussion
    2
    5
    1655
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • crankshaft
      crankshaft last edited by

      I already have fail2ban in place looking at z-push, kopano-gateway and kopano-webapp logs, but one of the problems I am facing is that it appears that one of the attacks is spoofing it’s IP address as 127.0.0.1 and localhost:

      As you can see from the following log / hack attempt, the connection to kopano-gateway appears to be coming from localhost ?? - so is this really coming from localhost and if so where, or is it a spoofed IP address ??

      Sep 25 08:54:15 kopano postfix/smtpd[19267]: connect from unknown[102.165.35.28]
Sep 25 08:54:17 kopano kopano-server[1346]: Authentication by plugin failed for user "xxx": Trying to authenticate failed: wrong username or password
Sep 25 08:54:17 kopano kopano-gateway[834]: HrLogon server "http://localhost:236/" user "xxx": logon failed
Sep 25 08:54:17 kopano kopano-gateway[834]: Failed to login from [[::ffff:127.0.0.1]:33918] with invalid username "xxx" or wrong password: logon failed (80040111)
Sep 25 08:54:18 kopano kopano-gateway[834]: Connection error.

      As far as I can tell there is just no way for me to trap this hack attempt and block it, as I cannot block localhost / 127.0.0.1 ?!

      Any help is welcome !

      1 Reply Last reply Reply Quote 0
      • genesis74
        genesis74 last edited by

        Hi @crankshaft,

        how often do you experience this behaviour? Did you try to find out if there is any local process connecting to kopano-gateway? Which services are active within kopano-gateway (pop(s), imap(s)) another process could try to connect to?

        1 Reply Last reply Reply Quote 0
        • crankshaft
          crankshaft last edited by

          Hi;

          No, no other services connecting to the gateway on the server, we are using IMAP and z-push, but that’s all.

          My suspicion is that the hacker is spoofing their IP address,.

          Like most people, we are under constant attack 24x7 x 365 days, script-kiddies looking for PHP exploits, and trying to guess SASL etc passwords.

          I have jails/filters setup to catch all of these and they work well, the only one I cannot trap is this attempt to login with localhost IP address !

          Thanks

          1 Reply Last reply Reply Quote 0
          • genesis74
            genesis74 last edited by

            Hi @crankshaft,

            ok. What system are you on? Is source address verification/reverse path filtering switched on?

            genesis74 1 Reply Last reply Reply Quote 0
            • genesis74
              genesis74 @genesis74 last edited by

              Hi @crankshaft,

              did you solve your problem?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post